in reply to Upload security question

The main thing you left off your list of things to watch for is JavasScript cross-site scripting. What do you have in place to prevent a person from putting JavaScript inside the text file that will execute when you display the text as HTML? Perhaps HTML::Strip would come in handy for that part. You are right to worry about possible Denial of Service attacks (continuous uploading). And yes, although it too can be fooled, a CAPTCHA is advisable either on the upload form or on the account-creation form.

Replies are listed 'Best First'.
Re^2: Upload security question
by menolly (Hermit) on Jun 04, 2007 at 21:25 UTC
    CAPTCHAs can create an accessibility problem, however, and providing an audio alternative isn't always sufficient. Do you know your intended audience well enough to believe this won't be a problem?
[reply]
Re^2: Upload security question
by Anonymous Monk on Jun 04, 2007 at 01:03 UTC
    Hey

    thanks for the advice.

[reply]
      Hi,
      I just read more about how to prevent XSS attacks and it seems like CGI.pm sanitizes most of the incoming form input. Is this not enough? Should I still look into HTML::Strip?

      Thanks.
[reply]
        If I am understanding you correctly, the text file is being used to create a form that will only be seen by the person who uploaded the file. If that's the case, then XSS is not a concern since its method of harm is by showing the JavaScript to others. So I guess in this specific case it isn't a threat. I don't know what you're doing to process the form itself, but you may need to handle things on that end (e.g. use placeholders if you are inserting the form input into a database).
[reply]
Re^2: Upload security question
by clinton (Priest) on Jun 07, 2007 at 08:29 UTC
[reply]
      Ah, nice, I'll have a look at those next time I need something of the sort, thanks.
[reply]

In Section Seekers of Perl Wisdom