Sven Neuhaus wrote:
> The "force_untaint" option. This option makes sure that no tainted values
> are set in the template.
> [...]
> Please let me know what you think. I believe this would be very helpful in
> preventing cross-site-scripting (CSS) bugs.
No feedback? :-(
I believe honoring perl's taint flag in HTML::Template is a more perlish and
natural solution to the XSS problem than the proposal by Shlomi Fish
("Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for
good."). Combine this with DBIs TaintIn-flag and it gets pretty hard to
accidentally leave XSS bugs in.
I've been using the patched version of HTML::Template for two weeks now
without problems. I have modified the 2nd patch slightly so it tells you
which parameter is tainted in some easy cases (like the first patch did).
-Sven
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Html-template-users mailing list
Html-template-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/html-template-users
