Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: XSS protection in CGI::Application

by skx (Parson)
on Mar 02, 2010 at 19:30 UTC ( #826239=note: print w/ replies, xml ) Need Help??


in reply to XSS protection in CGI::Application

The way I'd solve this is to explicitly catch an unknown mode via:

my $self = shift; $self->run_modes( # default 'index' => 'index', # user's tag cloud 'tag_cloud' => 'tag_cloud', 'edit_tags' => 'edit_tags', 'tag_find' => 'tag_find', .. # called on unknown mode. 'AUTOLOAD' => 'unknown_mode', );

In your unknown mode you can then handle it as you wish - without echoing the mode back to the client and potentially allowing an XSS attack.

My own method is generally:

sub unknown_mode { my ( $self, $requested ) = (@_); my $q = $self->query(); my $session = $self->param('session'); my $username = $session->param('logged_in'); $requested = HTML::Entities::encode_entities($requested); if ( defined($username) && length($username) ) { return "<p>unknown mode '$requested' for logged in user $usern +ame</p>"; } else { return "<p>Unknown mode '$requested' for anonymous user.</p>"; } }

Obviously the username section is specific to the sites I design .. but the idea of handling the unknown mode yourself should be simple enough to understand?

Steve
--


Comment on Re: XSS protection in CGI::Application
Select or Download Code
Replies are listed 'Best First'.
Re^2: XSS protection in CGI::Application
by srdst13 (Pilgrim) on Mar 02, 2010 at 19:54 UTC

    This worked as expected. Thanks for the help.

    Sean

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://826239]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (7)
As of 2015-07-31 05:58 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (274 votes), past polls