Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re: XSS-Bug in HTML::BBCode

by b10m (Vicar)
on Aug 14, 2007 at 14:52 UTC ( #632510=note: print w/ replies, xml ) Need Help??


in reply to Re^2: XSS-Bug in HTML::BBCode
in thread XSS-Bug in HTML::BBCode

I was actually already looking into this possibility :-) Instead of changing the parser's behaviour, just let it do it's work and then remove all unwanted stuff afterwards. That _should_ prevent further abuse aswell (assuming your module is flawless ;-) )

--
b10m

All code is usually tested, but rarely trusted.


Comment on Re: XSS-Bug in HTML::BBCode
Re^2: XSS-Bug in HTML::BBCode
by clinton (Priest) on Aug 14, 2007 at 15:00 UTC
    If it's not flawless, I'll point all blame at the original author - any praise will, naturally, stop with me :)

    That said, I've added tests for all (relevant) exploits on the XSS (Cross Site Scripting) Cheat Sheet website.

    I don't know what tags you generate through HTML::BBCode, but you may need to override (by sub-classing) the default list if you need to add any.

    Also, I think that your HTML generator would be a good match with HTML::StripScripts, because StripScripts need to receive tokens, and your module is generating tokens... the interface should be pretty easy.

    If you need any help with it, drop me a /msg

    Clint

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://632510]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (4)
As of 2015-07-07 04:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (87 votes), past polls