XSS,CGI && Template Toolkit

David Dick david_dick at iprimus.com.au
Wed Nov 6 01:19:27 CST 2002

Got a bit of a problem with Cross Site Scripting.  The way I've been 
writing web apps is by using $cgi->param to suck in values from the user 
and using the Template Toolkit to generate the html.  However, CGI.pm 
seems to assume that you'll use the CGI.pm routines to output html, so 
the param method unencodes everything it can, while the CGI.pm output 
commands encodes them.  Translated..... <INPUT TYPE="TEXT" 
NAME="Something" VALUE="&lt;SCRIPT&gt;"> will be translated by 
$cgi->param into <SCRIPT> and the print commands will reencode it as 
&lt;SCRIPT&gt; to protect against Cross Site Scripting attacks.  The way 
i've been thinking, CGI.pm does do the correct thing, the place to 
encode all of that stuff is in the output routine.  I can't find a easy 
way of doing this in Template Toolkit.  I think I need a automatic 
FILTER or something.  Anyone else have this problem or come up with an 
easy solution?

More information about the Melbourne-pm mailing list