Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re^2: Need help figure out CSRF vulnerability on this cgi code

by tinita (Parson)
on Mar 31, 2012 at 20:51 UTC ( #962798=note: print w/replies, xml ) Need Help??


in reply to Re: Need help figure out CSRF vulnerability on this cgi code
in thread Need help figure out CSRF vulnerability on this cgi code

Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF.
i'd rather say, you have XSS, and CSRF is an effect of this, and by eliminating XSS you are not safe from CSRF
Basically, add add ESCAPE=HTML to all variables in your template.
or better, use default_escape 'HTML', so you can't forget to do it in the template.
  • Comment on Re^2: Need help figure out CSRF vulnerability on this cgi code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://962798]
help
Chatterbox?
[Corion]: Discipulus: IMO it's not that much pain, but most of the systems I use have a Perl 5.14 or newer on them nowadays
[marto]: the question is more, is Padre still the way new users should be directed?
[Discipulus]: ah ah I have all 5.26 atm but I play alone..
[Corion]: Except this RHEL box, which comes with Perl 5.10.1 , but there I installed my own 5.20.3 for the real Perl programs we run ;)
[Corion]: marto: I used Padre for some time but then switched to Notepad++, since all the funky features I wanted to put into Padre couldn't be made to work, and/or I lost interest :)
[Discipulus]: indeed marto I dunno. I tested once and many years ago. But I'm not the programmer yardstick. I try to install Padre via cpan now just to add a line about it in the issue. Strawberryperl all life long!
[marto]: yeah, when I worked on Windows I did use Np++ all the time

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (12)
As of 2018-06-25 08:54 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?



    Results (126 votes). Check out past polls.

    Notices?