XSS,CGI && Template Toolkit
David Dick
david_dick at iprimus.com.au
Wed Nov 6 13:03:01 CST 2002
Yeah, but that puts the responsibility for preventing XSS attacks onto
the html coder, which is not what i want to rely on.
Daniel Walmsley wrote:
>Doesn't TT2 have a built-in html filter? [% myval | html %]
>
>-----Original Message-----
>From: David Dick [mailto:david_dick at iprimus.com.au]
>Sent: Wednesday, 6 November 2002 6:19 PM
>To: melbourne-pm at pm.org
>Subject: XSS,CGI && Template Toolkit
>
>
>Got a bit of a problem with Cross Site Scripting. The way I've been
>writing web apps is by using $cgi->param to suck in values from the user
>and using the Template Toolkit to generate the html. However, CGI.pm
>seems to assume that you'll use the CGI.pm routines to output html, so
>the param method unencodes everything it can, while the CGI.pm output
>commands encodes them. Translated..... <INPUT TYPE="TEXT"
>NAME="Something" VALUE="<SCRIPT>"> will be translated by
>$cgi->param into <SCRIPT> and the print commands will reencode it as
><SCRIPT> to protect against Cross Site Scripting attacks. The way
>i've been thinking, CGI.pm does do the correct thing, the place to
>encode all of that stuff is in the output routine. I can't find a easy
>way of doing this in Template Toolkit. I think I need a automatic
>FILTER or something. Anyone else have this problem or come up with an
>easy solution?
>
>
>
More information about the Melbourne-pm
mailing list