Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re: XSS-Bug in HTML::BBCode

by b10m (Vicar)
on Aug 14, 2007 at 14:52 UTC ( #632510=note: print w/replies, xml ) Need Help??


in reply to Re^2: XSS-Bug in HTML::BBCode
in thread XSS-Bug in HTML::BBCode

I was actually already looking into this possibility :-) Instead of changing the parser's behaviour, just let it do it's work and then remove all unwanted stuff afterwards. That _should_ prevent further abuse aswell (assuming your module is flawless ;-) )

--
b10m

All code is usually tested, but rarely trusted.

Replies are listed 'Best First'.
Re^2: XSS-Bug in HTML::BBCode
by clinton (Priest) on Aug 14, 2007 at 15:00 UTC
    If it's not flawless, I'll point all blame at the original author - any praise will, naturally, stop with me :)

    That said, I've added tests for all (relevant) exploits on the XSS (Cross Site Scripting) Cheat Sheet website.

    I don't know what tags you generate through HTML::BBCode, but you may need to override (by sub-classing) the default list if you need to add any.

    Also, I think that your HTML generator would be a good match with HTML::StripScripts, because StripScripts need to receive tokens, and your module is generating tokens... the interface should be pretty easy.

    If you need any help with it, drop me a /msg

    Clint

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://632510]
help
Chatterbox?
[Corion]: I mean, in a way it would be nicer+easier if they always where that obedient, but it's comforting to see that they are when it matters, at least for now ;)

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (4)
As of 2016-12-08 09:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    On a regular basis, I'm most likely to spy upon:













    Results (138 votes). Check out past polls.