Bad practices, even when using perl, can lead to XSS attacks. This is not the place to debate the "Known and widely accepted solutions." to XSS. There are many resources outside of Perl that deal with this topic. Use the perl modules and you've got a chance at safe code, head off in your own direction and you'll regret it.

My post was aimed at getting the Monk to understand that the question was leading the code in a direction it would be best it didn't. There are not many ways to implement a website hardened against XSS and this limits the scope of any questions related to login, sessions, data handling, and form validation to a less than manageable size. In other words if you're doing web development and your code dealing with one of these areas doesn't just work, you need to fall back into line or your users will be hacked.

Again: What does this thread have to do with XSS attacks?

Karl

«The Crux of the Biscuit is the Apostrophe»

Q: My web site login/logout code needs to delete cookies, how can I do this?

A: You don't do login/logout that way, it's not standard practice and what you are trying to do screams XSS attack.

Instead of deleting a cookie don't send your anti XSS hidden input.

All web forms should have some post/get variable with a secret code that only that user knows. This ensures that forms, without having the correct hidden input value, can't be submitted to the site. The site code can easily determine if the form being filled out originated from the site.