This post is meant for any Perl programmers out there, in order to give them a hint at the time of developing code which is meant to be safe (can’t guarantee!) from Cross site scripting problems.  The main message, as always, is make sure that you are encoding your data before it gets displayed to browsers, especially when this information comes from untrusted containers (i.e.: user input, databases, etc.) You can either go for HTML-Encoding or URL-encoding, or even any home-grown methods of your choice, depending on the  context behind what’s being encoded and where it is being placed.

www-perl 

An alternative using www-perl would be:

use CGI::Escape;
print “Information”, HTML::Entities::encode($text);
print “It is located in (URL)”, HTML::Entities::encode($text);

Apache utils

A different alternative now using Apache utils can be:

use Apache::Util;
…
…
$e->print(Apache::Util::escape_html($myText), ”
“);
$e->print(”<a href=”/”>link</a>”);

I will keep working on this information in future posts - this is just a first step forward.