Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Module to filter user-input HTML text for security?

by 914 (Pilgrim)
on Jul 17, 2004 at 09:59 UTC ( #375217=perlquestion: print w/replies, xml ) Need Help??

914 has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I've trolled around Search, Super Search, http://perlmonks.thepen.com and CPAN's HTML section looking for a nice way to take web-input data and filter it for broken and/or potentially harmful things. HTML::QuickCheck looks close, but only parses for correct html, and was last updated in 1995.

update: using cpan.uwinnipeg.ca is not the best idea, as it seems rather out of date.

Alas, no luck. I'm using blosxom and would like to use the the comments plugin, but it is heinously insecure in that it accepts any old text and will then post it to the blogpage...

I'm concerned about SSI, bad/unclosed html tags, cross-site scripting (XSS) attacks and so forth... the HTML-QuickCheck module addresses some of this, and i could use a regex to filter HTML comments and PHP include tags and so forth, but i suspect someone has already built this wheel.

Recommendations?

UPDATE: i found my own answer while checking the CPAN link above.... HTML::CGIChecker. I'm going to post this anyhow, so others can see it, and for the next schlub who searches here for help on securing blosxom, may (s)he find it early!

update2: using cpan.uwinnipeg.ca is not the best idea, as it seems rather out of date.

  • Comment on Module to filter user-input HTML text for security?

Replies are listed 'Best First'.
Re: Module to filter user-input HTML text for security?
by 914 (Pilgrim) on Jul 17, 2004 at 10:34 UTC
    The more i look at the blosxom "comments" plugin, the more i realize that really securing it may well be over my head.

    I'm taking a crack at it, but can i solicit advice from the crowd here?

    Things like this look obviously bad to me, and make me wonder what else lurks :

    foreach ("", split(/\//, $path)) { $p .= "$_/"; -d "$comments_dir$p" or mkdir "$comments_dir$p", 0755; }
    The entire package is pasted below....
Re: Module to filter user-input HTML text for security?
by ccn (Vicar) on Jul 17, 2004 at 10:14 UTC
Re: Module to filter user-input HTML text for security?
by sgifford (Prior) on Jul 18, 2004 at 03:47 UTC
      thanks! i'll give those and the others mentioned a try..

      Not that i really feel competent to be "securing" something for open web use, but.... i guess it's better than nothing!

      i was sort of hoping (hint, hint) that some of the high-ranking Saints around here might give the plugin a go-over. It looks to me like there's a LOT of people out there using it as-is.... and i'm sure the author would welcome some free, good feedback.

      ;-)

Re: Module to filter user-input HTML text for security?
by lhoward (Vicar) on Jul 18, 2004 at 14:03 UTC
    not a perl module, but mod_security is a great tool to use to add another layer of protection to an apache webserver. It analyzes the http requests to block sql injection, cross site scripting, etc... L

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://375217]
Approved by ccn
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (4)
As of 2019-08-21 09:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?