Hi, This is pretty topical for me, but a little off topic for HTML::Template.. I was looking for a good example on how to do this filtering. In the Perl world I found HTML::StripScripts and it looked like a good idea at the time sort of thing, it just seemed too good/complex for me. Like the best way to do things, but I don't have time for that :)
I found this example in PHP and was trying to convert it to perl, got most of it working, but the last part I am a little baffled about what it is really for.. http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php Below is my version of the above, which skips that last set of loops. I get what they do, but I don't get why or in what circumstance that filtering is needed and I am not really sure why he breaks the tags instead of just removing them, maybe it is more for illustration that live use? The $val test in the script is from one of the many examples on http://ha.ckers.org/xss.html On another note. I was very happy to find mod_security which I am testing out now. My first thought had been to do something with an Apache module, because this kind of filtering I think belongs on the web server level not the application level, that seems so much safer to me when you have a bunch of code sitting around from various people that can't all be audited and kept that way, but then once I started looking into this I found mod_security already does this and is extremely configurable. One thing I was wondering about, if anyone has compiled this with PCRE I would love to know how you did it. One possible issue mentioned on their site says doing the module compile that way prevents some issues with certain types of reg exp.. Thanks, Eric use strict; use warnings; use Data::Dumper; use Data::Translate; my $trns = new Data::Translate; ##sub RemoveXSS { #my $val = shift; my $val = q!<IMG SRC=@avascript:alert('XSS')>!; my $search = undef; print "$val\n"; $val =~ s/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/ /g; print "$val >>> $` $& $'\n\n\n"; $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '[EMAIL PROTECTED]&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; my @search_arr=split(//,$search); foreach my $char(@search_arr){ my $bob1 = $trns->d2h(ord($char)); my $bob2 = ord($char); print "$char -- $bob1 --- \n"; $val =~ s/(&#[x|X]0{0,8}$bob1);?/$char/gi; print "***$val***\n"; $val =~ s/(�{0,8}$bob2);?/$char/gi; ## with a ; (&#[x|X]0{0,8} print "***$val******\n\n"; } my @ra = qw(javascript vbscript expression applet meta xml blink link style script embed object iframe frame frameset ilayer layer bgsound title base onabort onactivate onafterprint onafterupdate onbeforeactivate onbeforecopy onbeforecut onbeforedeactivate onbeforeeditfocus onbeforepaste onbeforeprint onbeforeunload onbeforeupdate onblur onbounce oncellchange onchange onclick oncontextmenu oncontrolselect oncopy oncut ondataavailable ondatasetchanged ondatasetcomplete ondblclick ondeactivate ondrag ondragend ondragenter ondragleave ondragover ondragstart ondrop onerror onerrorupdate onfilterchange onfinish onfocus onfocusin onfocusout onhelp onkeydown onkeypress onkeyup onlayoutcomplete onload onlosecapture onmousedown onmouseenter onmouseleave onmousemove onmouseout onmouseover onmouseup onmousewheel onmove onmoveend onmovestart onpaste onpropertychange onreadystatechange onreset onresize onresizeend onresizestart onrowenter onrowexit onrowsdelete onrowsinserted onscroll onselect onselectionchange onselectstart onstart onstop onsubmit onunload); foreach my $badword(@ra){ $val =~ s/$badword/<x>/gi; } print "####$val#####"; ## should print <IMG [EMAIL PROTECTED]<x>ript:alert('XSS')> At 05:12 PM 25/10/2006, Mathew Robertson wrote: > >> Having read the thread, I don't think that's enough for me. I want to > still > >> need to explicitly specify "ESCAPE=HTML" everywhere (without having a > default > >> escape), to have an exception raised on a non-escaped occurence, and > to add > >> an explicit unescaping (like "ESCAPE="0""). > > > > Let me see if I've got this straight: you want to force the template > > writer to include "ESCAPE=something" in every TMPL_VAR, where > > "something" can be "HTML", "URL", or a value indicating "no escapes" > > (say, "TEXT"); failure to do so would cause a catchable error in your > > script when you try to evaluate the template. Right? > >hmm... it doesn't sound right at all. Forcing the developer to >remember to have to type ESCAPE=... for every TMPL_VAR is just not >right. > >I personally forget to even use NAME=... and I just about never >quote the value either due to laziness. > >The reality is that people are lazy/forgetful/efficient - the >general idea in life is to make life easier, not harder. I'd >suggest just to use the functionality as is. ie: set default_escape >to whatever the default is; when no escape is necessary, then the >developer will explicitly say so. > > >> So I guess I'm going to fire up my editor and write an HTML::Template > >> sub-class. > > > > Probably. May I suggest a form for your subclass to take? Let > > "default_escape" contain two additional values: "TEXT" (which means > > the same as "0" above, and can also be used in 'ESCAPE=' to override > > the default with no escaping), and "NONE" (which throws an exception > > any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch > > to an appropriate default_escape value once transition to the new code > > is complete. > >Please dont use "TEXT" to mean none - there is at least one filter >that has been posted on this list which is for 'text' documents. >ie: the filter is like the HTML filter, but also handles newlines & >carriage returns, etc. How about "NONE" or "NO" or "0" to mean 'no >escaping is necessary'. > >Also, "NONE" (as described above) should be "THROW" - the term is >common in computer science, lets use it. > >Mathew > >------------------------------------------------------------------------- >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >_______________________________________________ >Html-template-users mailing list >Html-template-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/html-template-users ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Html-template-users mailing list Html-template-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/html-template-users
