in reply to Input Validation and pattern matching in Template Toolkit

I think your approach of trying to filter out common known attacks will be a constant battle. Instead of attempting that, why don't you simply HTML-filter attack? Usernames should not contain (or be interpolated as) HTML. See for example homoglyph attacks like tye&nbsbp; which really, really looks like tye but with whitespace at the end.

Replies are listed 'Best First'.
Re^2: Input Validation for Template Toolkit
by dipit (Sexton) on Jun 20, 2018 at 09:40 UTC

    Hello Corion! Thanks for your response. "attack" can contain values such as xxx@domain.com. In this case, every input is escaped or encoded but i need to encode only attacking ones like login=<script>...</script> etc. Thats why, i wanted to match the input with keywords and display the template accordingly.

[reply]

      Sure, but then somebody could submit login=<img src="http://evil.example.com/attack.js">, and you would have to catch that too.

      And certainly, there are other attacks. I would recommend to escape all data that is user-supplied.

[reply]
[d/l]

In Section Seekers of Perl Wisdom