XSS,CGI && Template Toolkit
Daniel Walmsley
daniel at landmarksoftware.com.au
Tue Nov 5 20:26:44 CST 2002
Doesn't TT2 have a built-in html filter? [% myval | html %]
-----Original Message-----
From: David Dick [mailto:david_dick at iprimus.com.au]
Sent: Wednesday, 6 November 2002 6:19 PM
To: melbourne-pm at pm.org
Subject: XSS,CGI && Template Toolkit
Got a bit of a problem with Cross Site Scripting. The way I've been
writing web apps is by using $cgi->param to suck in values from the user
and using the Template Toolkit to generate the html. However, CGI.pm
seems to assume that you'll use the CGI.pm routines to output html, so
the param method unencodes everything it can, while the CGI.pm output
commands encodes them. Translated..... <INPUT TYPE="TEXT"
NAME="Something" VALUE="<SCRIPT>"> will be translated by
$cgi->param into <SCRIPT> and the print commands will reencode it as
<SCRIPT> to protect against Cross Site Scripting attacks. The way
i've been thinking, CGI.pm does do the correct thing, the place to
encode all of that stuff is in the output routine. I can't find a easy
way of doing this in Template Toolkit. I think I need a automatic
FILTER or something. Anyone else have this problem or come up with an
easy solution?
More information about the Melbourne-pm
mailing list