in reply to Re: How do I test for potential security problems?
in thread How do I test for potential security problems?

OeufMayo,

Thanks for the quick reply. I've added taint checking and I only had to modify one routine to untaint some data.

But I'm still faced with the potential of rouge input. For example I've experienced this nice bit of input in a message board. 

<marquee onstart=for(i=0;i<500;i++)prompt()>

[download]


This dosent seem to affect Netscapt but IE gets hit and pops a window up 500 times. Since the program needs to accept HTML, is there a good way to eliminate stuff like this ?

TIA,

-- Brian

Replies are listed 'Best First'.
Re: How do I test for potential security problems? (and eventually remove HTML tags)
by OeufMayo (Curate) on Jan 16, 2001 at 17:37 UTC

    I don't have some code around to do this, but you might want to check HTML::Parser or HTML::TokeParser.

    The idea is to scan the user input for tags or attributes you don't want him/her to use (<SCRIPT>, <MARQUEE>, etc...), strip them and store the resulting HTML field.

    <kbd>--
    PerlMonger::Paris(http => 'paris.pm.org');</kbd>
[reply]
[d/l]

In Section Seekers of Perl Wisdom