in reply to Re: default_escape for Template::Toolkit?
in thread default_escape for Template::Toolkit?
what do you do to prevent XSS reliably?
- Sanitize user input using a accept known good only approach (link to owasp.com). I find Embperl::Form::Validate very useful, although there are many others as well.
- Flip HTML::Mason's default_escape_flags so that if someone enters:
into a text field in your blog, it is displayed verbatim rather than turned into executable code.<script>load_malicious_javascript_from_hacker_site;</script>
--
When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]
When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]
In Section
Seekers of Perl Wisdom