perlquestion
osfameron
After I read the recent [146949|post] about Cross Site
Scripting attacks, I sat down and wrote an HTML filter to make user-submitted HTML safe (using [cpan://HTML::Parser]).
Then I read some more posts, and followed some links (I particularly liked
<a href="http://spoor12.edup.tudelft.nl/SkyLined/">this one</a>) and then got scared.
<p>
You can call malicious code from an <i><code><IMG></code></i>
tag??!! And even stranger, from a
<i><code><STYLE></code></i> tag... (well, I thought it
was strange, because STYLE is for, um, formatting, not
for running code, but of course this allows for dynamically
generated styles).<p>
So, for plain HTML, I think I now know what I can do: I
will add the necessary filtering ability to my self-rolled
version, test it against the exploits listed in the various articles, and if it doesn't come up to scratch, I'll use
[cpan://HTML::TagFilter] as recommended by some (Hell, I'll maybe
use that anyway, but this is the first time I've been able
to get <code>HTML::Parser</code> to do <i>anything</i> useful, so I'm enjoying reinventing this wheel...)
<p>
But if I want users to be able to submit their own
Stylesheets, how do I parse the CSS entry to make sure they
aren't adding malicious code? Can I just filter
out <code>@</code> and <code>expression()</code>? Surely
there must be a pre-rolled solution? (I found
[cpan://CSS::SAC] which looks like a CSS parser, but didn't seem to have any documentation on how to use it for this
kind of eventuality.<p>
I think that one suggestion involved creating a user
interface to limit what CSS is entered, which I don't
want to have to do if I can avoid it!!
<p>Cheerio!<BR>
Osfameron<br>
<a href="http://osfameron.perlmonk.org/chickenman/">
http://osfameron.perlmonk.org/chickenman/
</a>