Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I need to untaint user input for a webapp and protect against xss

I've found no less than 6 modules on cpan to strip scripts and tags

however, none seem to have the facility to allow embed tags, but rewrite them with 'allowScriptAccess=Never' -- which is how you allow flash movies, but disallow script access ( myspace , youtube , etc all use it )

can anyone point me in a good direction?

i'd rather not use 2 modules-- but if anyone has done this with 2 modules and likes the results, i'd be happy to give it a shot

Replies are listed 'Best First'.
Re: strip scripts / tags + rewrite embed
by jasonk (Parson) on Oct 16, 2006 at 17:00 UTC

    allowScriptAccess is a parameter for the flash player, not an HTML attribute, so it's unlikely that a module for handling HTML tags will support it.

    We're not surrounded, we're in a target-rich environment!
[reply]
      its an attribute that is passed in an object or embed html tag

      all of the current tag handlers seem to support removing/blocking it... but none support rewriting it as I need to.
[reply]
Re: strip scripts / tags + rewrite embed
by Anonymous Monk on Oct 17, 2006 at 02:32 UTC
    ok. so no cpan modules seem to handle it outright.

    it looks like i need to scrub text for tags in 1 pass, then come again and regex the flash

    I'm a bit uneasy with perl and regexes (i know odd)... i've just grown custom to the python ones, where matches are objects that contain string position etc. 
    my    $regex= qr/
    <embed
        \s*
        (
            [^"]*="[^"]*"
            (:?\s)?
        )+
        \s*
    (\/)?\s*>/ixm;

    [download]
    should match anything i toss at it.

    but now i'm unsure.... how can i loop the text with that regex without doing an endless loop ( i'll be replacing in text that will pass that test , and i can't code around that )?
[reply]
[d/l]

Back to Seekers of Perl Wisdom