HTML::ENTITIES for URL encoding

aakashmgupta has asked for the wisdom of the Perl Monks concerning the following question:

i am not sure what is wrong with this code, i am trying to remove special characters from the URL for example:- http://google.com/>"<script>alert(2121)</script> this triggers the javscript, i want to encode the '<>&"' from URL so this is my code which i am trying to execute.



my $cgi = CGI->new();
use HTML::Entities;
sub escapeParams {
       my( $self ) = shift;

        my @params  = $self->query->param('<>&"');

        foreach my $param ( @params ) {
            #    $self->query->param( $param, HTML::Entities::encode( 
+$self->query->param( $param ) ) );
            $self->query->param( HTML::Entities::encode($param), HTML:
+:Entities::encode( $self->query->param( $param ) ) );
            print $self->query->param( $param );
        }

}
escapeParams($cgi);
[download]

Comment on HTML::ENTITIES for URL encoding Select or Download Code

Replies are listed 'Best First'.
Re: HTML::ENTITIES for URL encoding by cheako (Beadle) on Mar 04, 2015 at 20:44 UTC
My best guess is that should have been: 'http://google.com/">' or perhaps you are intentionally looking to output: 'http://google.com/>"'? Regardless it looks like your problem is that you need to turn on "use strict;". The you'll see that $self->query does not exist! Try instead "my( $query ) = shift;" and use "my @params = $query->param();" (Notice no arguments) to fetch the list of parameters. If you need to filter to just parameter names containing special chars filter using "next".	[reply]
Re^2: HTML::ENTITIES for URL encoding by aakashmgupta (Initiate) on Mar 05, 2015 at 03:34 UTC
when user hits my url on browser like this http://example.com/>"<script>alert(1212)</script> this triggers the javascript i want to escape/remove/replace the special characters so that i will not triggers javascript and second thing "if you need to filter to just parameter names containing special chars filter using "next"." i didn't get this can you please explain?	[reply]
Re^3: HTML::ENTITIES for URL encoding by cheako (Beadle) on Mar 05, 2015 at 04:00 UTC
`>"<script>alert(1212)<` <--- In all likely hood this directory is not found, no Perl coding is necessary. Your web server will fail with a 404 file not found long before you get to run any Perl code. We don't fix things using JavaScript here at the Monastery. Read: next 7th line from the top is a great example. And again it should be: `http://example.com/"><script>alert(1212)</script>` This is the solution you are looking for, nothing to do in either Perl or JS.	[reply] [d/l] [select]
Re^3: HTML::ENTITIES for URL encoding by cheako (Beadle) on Mar 05, 2015 at 04:02 UTC
Have you tried using regular HTTP parameters? `http://example.com/?alert=1212">`	[reply] [d/l]
Re: HTML::ENTITIES for URL encoding by Anonymous Monk on Mar 05, 2015 at 13:41 UTC
Sounds like you're trying to protect against XSS attacks, which is a Good Thing. But I think you may be overcomplicating your solution. Try calling the following with the URL `test.cgi?link=http://www.google.com%22%3E%3Cscript%3Ealert%28%27Bang!%27%29%3C/script%3E` (i.e. "`test.cgi?link=http://www.google.com"><script>alert('Bang!')</script>`") and look at the resulting HTML. `use CGI; my $cgi=CGI->new; print $cgi->header; print $cgi->start_html; my $link=$cgi->param("link"); print "<a href=\"$link\">Link</a><br/>\n"; # BAD! print "<a href=\"".$cgi->escapeHTML($link) # Good ."\">Link</a><br/>\n"; print $cgi->a({href=>$link},"Link"), $cgi->br; # Better print $cgi->end_html;` [download] CGI's `escapeHTML` is just a shortcut to HTML::Entities's `encode_entities`. Also, I don't understand why you need to escape `param` names (at least I think that's what you're trying to do?), unless at some point in your script you are dumping all of your `param`s somewhere? If so, the advice is simple: don't do that!	[reply] [d/l] [select]