Beefy Boxes and Bandwidth Generously Provided by pair Networks vroom
The stupid question is the question not asked
 
PerlMonks  

Re^2: Need help figure out CSRF vulnerability on this cgi code

by tinita (Parson)
on Mar 31, 2012 at 20:51 UTC ( #962798=note: print w/ replies, xml ) Need Help??


in reply to Re: Need help figure out CSRF vulnerability on this cgi code
in thread Need help figure out CSRF vulnerability on this cgi code

Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF.
i'd rather say, you have XSS, and CSRF is an effect of this, and by eliminating XSS you are not safe from CSRF
Basically, add add ESCAPE=HTML to all variables in your template.
or better, use default_escape 'HTML', so you can't forget to do it in the template.


Comment on Re^2: Need help figure out CSRF vulnerability on this cgi code

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://962798]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (5)
As of 2013-05-24 22:18 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best material for plates (tableware) is:









    Results (516 votes), past polls