Thanks Gerald, Now this also escapes what comes from what is generated from inside the perl itself (which I know is the correct behaviour), what I want is that any user entered data (i.e. any externally passed param) is escaped, but not what internally generated Perl has done (I.e. a combination of $escmode 0 and 4).
Is this unfeasible ? -----Original Message----- From: Gerald Richter [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 January 2006 6:45 PM To: 'Pete Moran'; embperl@perl.apache.org Subject: RE: Cross Site Scripting Hi, > > I know there is probably a simple answer - according to the > docs if I set EMBPERL_ESCMODE to 4, then it should fix any > cross site scripting. No, 4 is wrong, the best is to use 7 (which is the default). 4 is only for disableing the special meaning of \ and will do nothing on it's own. You can see that it works at http://www.perl-workshop.de/db/register.epl?lastname=%22%3E%3Cscript%3Ealert ('vorsichtfalle!')%3C/script%3E%3C%22 Gerald > > However if I have a text field called guess, and pass the > following line > > > > ?guess=%22%3E%3Cscript%3Ealert('vorsichtfalle!')%3C/script%3E%3C%22 > > > > The alert will appear - how can I disable this behavior, but > keep the normal fdat form population ? > ** Virus checked by BB-5000 Mailfilter ** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.22/238 - Release Date: 23/01/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.22/239 - Release Date: 24/01/2006 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
