XSS,CGI && Template Toolkit

David Dick david_dick at iprimus.com.au
Wed Nov 6 13:03:01 CST 2002

Yeah, but that puts the responsibility for preventing XSS attacks onto 
the html coder, which is not what i want to rely on.

Daniel Walmsley wrote:

>Doesn't TT2 have a built-in html filter? [% myval | html %]
>-----Original Message-----
>From: David Dick [mailto:david_dick at iprimus.com.au] 
>Sent: Wednesday, 6 November 2002 6:19 PM
>To: melbourne-pm at pm.org
>Subject: XSS,CGI && Template Toolkit
>Got a bit of a problem with Cross Site Scripting.  The way I've been 
>writing web apps is by using $cgi->param to suck in values from the user 
>and using the Template Toolkit to generate the html.  However, CGI.pm 
>seems to assume that you'll use the CGI.pm routines to output html, so 
>the param method unencodes everything it can, while the CGI.pm output 
>commands encodes them.  Translated..... <INPUT TYPE="TEXT" 
>NAME="Something" VALUE="&lt;SCRIPT&gt;"> will be translated by 
>$cgi->param into <SCRIPT> and the print commands will reencode it as 
>&lt;SCRIPT&gt; to protect against Cross Site Scripting attacks.  The way 
>i've been thinking, CGI.pm does do the correct thing, the place to 
>encode all of that stuff is in the output routine.  I can't find a easy 
>way of doing this in Template Toolkit.  I think I need a automatic 
>FILTER or something.  Anyone else have this problem or come up with an 
>easy solution?

More information about the Melbourne-pm mailing list