Re: XSS-Bug in HTML::BBCode

I was actually already looking into this possibility :-) Instead of changing the parser's behaviour, just let it do it's work and then remove all unwanted stuff afterwards. That _should_ prevent further abuse aswell (assuming your module is flawless ;-) )

--
b10m

All code is usually tested, but rarely trusted.

Comment on Re: XSS-Bug in HTML::BBCode

Replies are listed 'Best First'.
Re^2: XSS-Bug in HTML::BBCode by clinton (Priest) on Aug 14, 2007 at 15:00 UTC
If it's not flawless, I'll point all blame at the original author - any praise will, naturally, stop with me :) That said, I've added tests for all (relevant) exploits on the XSS (Cross Site Scripting) Cheat Sheet website. I don't know what tags you generate through HTML::BBCode, but you may need to override (by sub-classing) the default list if you need to add any. Also, I think that your HTML generator would be a good match with HTML::StripScripts, because StripScripts need to receive tokens, and your module is generating tokens... the interface should be pretty easy. If you need any help with it, drop me a /msg Clint	[reply]

Replies are listed 'Best First'.

Re^2: XSS-Bug in HTML::BBCode
by clinton (Priest) on Aug 14, 2007 at 15:00 UTC

original author

That said, I've added tests for all (relevant) exploits on the XSS (Cross Site Scripting) Cheat Sheet website.

I don't know what tags you generate through HTML::BBCode, but you may need to override (by sub-classing) the default list if you need to add any.

Also, I think that your HTML generator would be a good match with HTML::StripScripts, because StripScripts need to receive tokens, and your module is generating tokens... the interface should be pretty easy.

If you need any help with it, drop me a /msg

Clint

[reply]