I chose to use HTML::Filter in the way that I did for a few reasons:

  1. The biggest reason was, it was very easy. The patch was 25 very fluffy lines of code and configuration. If you don't want to use HTML::Filter, it doesn't require you to have the module installed.
  2. It made it trivial to allow customization of the filters: you can easily configure the list of tags you want removed.
  3. It allows you to let safe things like formatting tags work as intended, while disallowing javascript, forms, etc. Blindly escaping everything that looks remotely HTML-ish doesn't allow this, and writing the code by hand to figure out what to escape and what not to escape is a lot more difficult than using a canned module.
There's a much easier, faster way than either of our methods to disable anything dangerous whether we have or haven't thought of it. Not installing the proxy in the first place is the easiest solution, and requires the least amount of code and work to implement. But that doesn't make it a good solution, because you lose functionality you would otherwise have if you were willing to put in a bit more effort, and/or accept a certain level of risk.

The same principle applies here: HTML::Filter isn't as efficient in processing time or code size as something akin to s/</&gt;/g; s/>/&lt;/g;. But it provides functionality that a few simple escaping regexes do not. If you don't need that functionality, then by all means make your design decisions differently. I chose an easily configurable solution partially because it allowed us to do what we needed to do, but also because the code allows other people to do what they need to do as well, even if they have different requirements than I do.

By way of an update:
I was able to contact the script's author, and I submitted my patch. The script is currently going through a rewrite, but he expects to release a patched version of the old code before the new version is available. The most important outcome is the fact that the author now knows of a problem in the script that he didn't know about before. If he decides to solve it some way other than the way I used, that's up to him. In the mean time, I'll use the solution I have.

Update: Sorry to sound defensive; I guess I misinterpreted the tone of your question :)

Alan

In reply to Re: Geektools whois proxy by ferrency
in thread Geektools whois proxy by ferrency

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.