Scenario: Our company is in the process of restructuring the way we create dynamic Web sites. I am have been tasked with researching and implementing the creation of secure, scalable systems. My current problem is one that I am sure other monks have faced.

I have convinced the company that we need to switch to a templating system (probably Template Toolkit) as the first step. However, some of our clients already have rather extensive Web sites. They would like to take much of the e-commerce functionality that we have and embed them within their Web pages without having us create an entire site from scratch.

My initial thought was that all scripts would check for an SSI parameter and serve either the entire page, or the appropriate section, depending upon whether the page was called from an SSI. Unfortunately, one of our clients wants to retain the ability to access and update the HTML directly. What I don't want is the client to be able to enter something like <!--#exec cmd="..."-->. I would much prefer that they be able to enter a tag that we supply and have it parsed with Perl using Template Toolkit. This would involved having IIS trap calls to HTML files in their directory and pass it off to a handler script. I don't yet know how to set that up (any IISMonks out there? :), but it seems much safer than allowing them to enter SSIs.

Any thoughts or comments about this method of ensuring security?

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

In reply to Tighter Security with Client Supplied SSIs by Ovid

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.