Re: Preventing XSS

Sounds to me like you want

$vars{$_} = HTML::Entities::encode_entities($vars{$_}, '<>&"');
[download]

Quote HTML::Entities,

The default set of characters to encode are control chars, high-bit chars, and the <, &, >, ' and " characters. But this, for example, would encode just the <, &, > and " characters:
$encoded = encode_entities($input, '<>&"');
[download]

It converts plain text into tag-less HTML.

Comment on Re: Preventing XSS Select or Download Code

Replies are listed 'Best First'.
Re^2: Preventing XSS (sg) by tye (Sage) on Sep 19, 2007 at 20:48 UTC
Note that I see no reason to encode quote characters here. It isn't like the result is being placed into an attribute value. (: And I probably wouldn't encode all ampersands since they are useful and rather low risk. If you are worried about the little-supported javascriptish ampersand stuff, then I'd only encode those ampersands. But I guess taking something useful away from users out of combined fear and laziness is not a shockingly rare result. Which leaves us with a couple of simple regexes and little reason to use a module: `s/&{/&{/g; s/</</g;` [download] - tye	[reply] [d/l]

Replies are listed 'Best First'.

Re^2: Preventing XSS (sg)
by tye (Sage) on Sep 19, 2007 at 20:48 UTC

Note that I see no reason to encode quote characters here. It isn't like the result is being placed into an attribute value. (:

And I probably wouldn't encode all ampersands since they are useful and rather low risk. If you are worried about the little-supported javascriptish ampersand stuff, then I'd only encode those ampersands. But I guess taking something useful away from users out of combined fear and laziness is not a shockingly rare result.

Which leaves us with a couple of simple regexes and little reason to use a module:

s/&{/&amp;{/g;
s/</&lt;/g;
[download]

- tye

[reply]
[d/l]