Perl programmers, protect against XSS
This post is meant for any Perl programmers out there, in order to give them a hint at the time of developing code which is meant to be safe (can’t guarantee!) from Cross site scripting problems. The main message, as always, is make sure that you are encoding your data before it gets displayed to browsers, especially when this information comes from untrusted containers (i.e.: user input, databases, etc.) You can either go for HTML-Encoding or URL-encoding, or even any home-grown methods of your choice, depending on the context behind what’s being encoded and where it is being placed.
www-perl
An alternative using www-perl would be:
use CGI::Escape;
print “Information”, HTML::Entities::encode($text);
print “It is located in (URL)”, HTML::Entities::encode($text);
Apache utils
A different alternative now using Apache utils can be:
use Apache::Util;
…
…
$e->print(Apache::Util::escape_html($myText), ”
“);
$e->print(”<a href=”/”>link</a>”);
I will keep working on this information in future posts - this is just a first step forward.
zero comments so far »
Please won't you leave a comment, below? It'll put some text here!
Copy link for RSS feed for comments on this post or for TrackBack URI
Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>