XSS,CGI && Template Toolkit
David Dick
david_dick at iprimus.com.au
Wed Nov 6 01:19:27 CST 2002
Got a bit of a problem with Cross Site Scripting. The way I've been
writing web apps is by using $cgi->param to suck in values from the user
and using the Template Toolkit to generate the html. However, CGI.pm
seems to assume that you'll use the CGI.pm routines to output html, so
the param method unencodes everything it can, while the CGI.pm output
commands encodes them. Translated..... <INPUT TYPE="TEXT"
NAME="Something" VALUE="<SCRIPT>"> will be translated by
$cgi->param into <SCRIPT> and the print commands will reencode it as
<SCRIPT> to protect against Cross Site Scripting attacks. The way
i've been thinking, CGI.pm does do the correct thing, the place to
encode all of that stuff is in the output routine. I can't find a easy
way of doing this in Template Toolkit. I think I need a automatic
FILTER or something. Anyone else have this problem or come up with an
easy solution?
More information about the Melbourne-pm
mailing list