Hi all,
I'm running a forum that runs on Embperl 1.3.3, and I just found a security
problem in it, it doesn't filter correctly HTML tags.
Since I'm enriching users' texts (to use italics for lines starting with a
'>', and to "vivify" urls), I'm not simply using Embperl automatic escaping.
Instead, I'm using HTML::Embperl::Execute :
(page)
...
[+ local $escmode=0; UserText($message) +]
...
(module)
...
sub UserText($) {
my($t) = @_;
my($r);
HTML::Embperl::Execute({'escmode' => 1,
'input' => \$t,
'inputfile' => 'usersuppliedtext',
'output' => \$r});
$r =~ s/\x0d\x0a/<BR>\n/g;
$r =~ [EMAIL PROTECTED](>.*)$@<I>$1</I>@gm;
$r =~ s@((?:ftp|http|news)://[^ <]*[^ .,:;!?<>()])@<A HREF="$1">$1</A>@gi;
return $r;
}
...
But beside the 'escmode' => 1 parameter, HTML::Embperl::Execute doesn't seem
to HTML-escape <, >, etc.
Thanks in advance,
Pierre.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
