in reply to HTML cleanup of user submitted content

Hi

Belated thanks for the responses. I thought I'd update with what I did. I got sidetracked from this project a bit but I'm back into it now.

HTML::StripScripts looks like what I need: I'm more concerned about XSS attacks than anything else. I'd not found that in the various searchs that I did.

I did some further testing of HTML::Defang and it's pretty impressive. Example: 

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&
+#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

[download]

Becomes: 

<IMG defang_SRC=javascript:alert('XSS')>

[download]

Note the lack of semicolons on the encoded character references in an attempt to confuse filters. (taken from ha.ckers.org/xss.html)

I will do some similar tests on HTML::StripScripts and post the results. This module has some options that I may ind useful compared to HTML::Defang (escape disallowed tags with &lt;/&gt; so they appear on the page, for example) - to be investigated and tested.

Looking into the posibilities has made me think seriously about disallowing HTML entry at all and using another markup language. That still has to be tested for allowing scripts though ;-)

Cheers

FalseVinylShrub

Disclaimer: Please review and test code, and use at your own risk... If I answer a question, I would like to hear if and how you solved your problem.

In Section Seekers of Perl Wisdom