I've had really good results with HTML::StripScripts::Parser, you can set allowed tags, attributes and stop JavaScript injection. You can also set allowed attributes on certain tags only, it's really flexible On 29 Jun 2014 05:14, "bill hauck" <wbha...@yahoo.com> wrote:
> Hi. > > Please forgive me if this is an easy one. It's late and I haven't found > any mention of it. > > I'd like to encode form fields so that only the standard bold, italic, > underline, list, etc. are allowed and and script, style, etc. tags are > encoded. Also, I'd like to only let the base tags through and no > attributes so setting an onmouseover in a paragraph is encoded. Basically > I'm trying to avoid XSS and other nastiness. > > Is there a module that does this to all parameters at once? Do i simply > need to do it to each paramter I accept? For now I've been adding the html > filter in my Template Toolkit templates, but that's a pain and relies on > each output field filtering. I'd like to encode before storing the data in > the database so it's safe no matter how it's presented. > > Any help is appreciated. > > Thanks, > > bill > > > > > > > > > _______________________________________________ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: > http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ > >
_______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/