Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

Reroh Rorge: Opinions needed on CGI security

by baku (Scribe)
on Feb 14, 2001 at 19:33 UTC ( #58359=note: print w/replies, xml ) Need Help??

in reply to Re: Re (tilly) 2: Opinions needed on CGI security
in thread Opinions needed on CGI security

There are a few ways to get almost all known HTML/JS evils out of the way...

The simplest, and a very effective one, is to simply URL-encode everything that comes in, like the PerlMonks.Com <code> tag does. The following JavaScript is harmless: <script>alert("I am malevolent");</script> because it has turned into &lt;script&gt;... before your browser sees it.

If you like certain HTML constructs, allow only them, like the <p> & <em> tags I'm using in this post (but not the <form> tag here: <form><input type="text" size="2"></form>

For better safety, as well as flexibility in presentation (HTML, WML, PDF, &c.) using an HTML->internal form->presentation form sequence might be desireable; e.g. using an XML dialect with no scripting, &c. internally.

The only "badness" I know of which can't be readily filtered out this was is an hyperlink containing potentially malicious content, e.g. a link to a site that does evil things, or (but I don't think any current browsers are troubled by this) a buffer overrun in the URL itself or sommat.

But, I'm sure someone will think of something interesting that can be done with <p> in IE 6, and we'll all be back to the drawing board :-)

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://58359]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2019-07-19 02:09 GMT
Find Nodes?
    Voting Booth?

    No recent polls found