Re^2: XSS-Bug in HTML::BBCode

in reply to Re: XSS-Bug in HTML::BBCode
in thread XSS-Bug in HTML::BBCode

You might consider using HTML::StripScripts (I'm the maintainer) as a filter for your output HTML. It'll filter tags, attributes and styles. Instead of returning the HTML directly, you would need to feed it tokens like start and end tags with attributes, content etc, and set the level of filtering that you would like.

Have a look at HTML::StripScripts::Parser and HTML::StripScripts::LibXML for ideas of how to interface with HTML::Stripscripts.

Clint

Comment on Re^2: XSS-Bug in HTML::BBCode

Replies are listed 'Best First'.
Re: XSS-Bug in HTML::BBCode by b10m (Vicar) on Aug 14, 2007 at 14:52 UTC
I was actually already looking into this possibility :-) Instead of changing the parser's behaviour, just let it do it's work and then remove all unwanted stuff afterwards. That _should_ prevent further abuse aswell (assuming your module is flawless ;-) ) -- b10m All code is usually tested, but rarely trusted.	[reply]
Re^2: XSS-Bug in HTML::BBCode by clinton (Priest) on Aug 14, 2007 at 15:00 UTC
If it's not flawless, I'll point all blame at the original author - any praise will, naturally, stop with me :) That said, I've added tests for all (relevant) exploits on the XSS (Cross Site Scripting) Cheat Sheet website. I don't know what tags you generate through HTML::BBCode, but you may need to override (by sub-classing) the default list if you need to add any. Also, I think that your HTML generator would be a good match with HTML::StripScripts, because StripScripts need to receive tokens, and your module is generating tokens... the interface should be pretty easy. If you need any help with it, drop me a /msg Clint	[reply]

In Section Seekers of Perl Wisdom