Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Preventing XSS

by ikegami (Patriarch)
on Sep 19, 2007 at 20:11 UTC ( [id://639988]=note: print w/replies, xml ) Need Help??


in reply to Preventing XSS

Sounds to me like you want 

$vars{$_} = HTML::Entities::encode_entities($vars{$_}, '<>&"');

[download]

Quote HTML::Entities,

The default set of characters to encode are control chars, high-bit chars, and the <, &, >, ' and " characters. But this, for example, would encode just the <, &, > and " characters:

$encoded = encode_entities($input, '<>&"');

[download]

It converts plain text into tag-less HTML.

Replies are listed 'Best First'.
Re^2: Preventing XSS (sg)
by tye (Sage) on Sep 19, 2007 at 20:48 UTC

    Note that I see no reason to encode quote characters here. It isn't like the result is being placed into an attribute value. (:

    And I probably wouldn't encode all ampersands since they are useful and rather low risk. If you are worried about the little-supported javascriptish ampersand stuff, then I'd only encode those ampersands. But I guess taking something useful away from users out of combined fear and laziness is not a shockingly rare result.

    Which leaves us with a couple of simple regexes and little reason to use a module: 

    s/&{/&amp;{/g;
s/</&lt;/g;

    [download]

    - tye        

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://639988]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (3)
As of 2024-04-20 03:38 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found