Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re^2: default_escape for Template::Toolkit?

by andreas1234567 (Vicar)
on Apr 16, 2008 at 10:40 UTC ( #680762=note: print w/ replies, xml ) Need Help??


in reply to Re: default_escape for Template::Toolkit?
in thread default_escape for Template::Toolkit?

what do you do to prevent XSS reliably?
  • Sanitize user input using a accept known good only approach (link to owasp.com). I find Embperl::Form::Validate very useful, although there are many others as well.
  • Flip HTML::Mason's default_escape_flags so that if someone enters:
    <script>load_malicious_javascript_from_hacker_site;</script>
    into a text field in your blog, it is displayed verbatim rather than turned into executable code.
The OWASP Guide to Building Secure Web Applications version 3 draft is out. Is is certainly an interesting read for those concerned about web application security.
--
When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]


Comment on Re^2: default_escape for Template::Toolkit?
Select or Download Code
Re^3: default_escape for Template::Toolkit?
by moritz (Cardinal) on Apr 16, 2008 at 10:53 UTC
    I think the question was directed at TT users. At least mine was.
    Flip HTML::Mason's default_escape_flags

    That's the point. TT doesn't seem to have such a flag (or at least nobody knows about it). HTML::Template and HTML::Mason (documented in HTML::Mason::Compiler have some default escaping mechanism. So what do the TT users do?

    I can't believe they never forget to escape something and therefore don't need a better solution.

      I agree that I have taken tinita's last question in Re: default_escape for Template::Toolkit? out of the original context.

      So what do the TT users do?
      I have no idea. Except consider how important such a feature is, and given it's important, switch to a templating system that supports it.
      --
      When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://680762]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (4)
As of 2015-07-06 04:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (70 votes), past polls