Hi
Belated thanks for the responses. I thought I'd update with what I did. I got sidetracked from this project a bit but I'm back into it now.
HTML::StripScripts looks like what I need: I'm more concerned about XSS attacks than anything else. I'd not found that in the various searchs that I did.
I did some further testing of HTML::Defang and it's pretty impressive. Example:
<IMG SRC=javascript:a& +#x6Cert('XSS')>
Becomes:
<IMG defang_SRC=javascript:alert('XSS')>
Note the lack of semicolons on the encoded character references in an attempt to confuse filters. (taken from ha.ckers.org/xss.html)
I will do some similar tests on HTML::StripScripts and post the results. This module has some options that I may ind useful compared to HTML::Defang (escape disallowed tags with </> so they appear on the page, for example) - to be investigated and tested.
Looking into the posibilities has made me think seriously about disallowing HTML entry at all and using another markup language. That still has to be tested for allowing scripts though ;-)
Cheers
FalseVinylShrub
Disclaimer: Please review and test code, and use at your own risk... If I answer a question, I would like to hear if and how you solved your problem.
In reply to Re: HTML cleanup of user submitted content
by FalseVinylShrub
in thread HTML cleanup of user submitted content
by FalseVinylShrub
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |