Dave Rolsky wrote: > On Wed, 11 Apr 2007, Andreas Falch wrote: > >> I've been using HTML::Mason quite a while and would like to be enlightened >> on cross-site scripting best practices. There is an example on a argument >> filtering plugin HTML::Mason::Plugin::PreventCrossSiteScripting at: >> >> http://www.masonhq.com/?SamplePlugins >> >> This post says that this is a wrong approach: >> >> http://marc.info/?l=mason&m=115477961103781&w=2 >> >> In what way is this wrong and what can be done to correct it? > > I think the person saying it was wrong was implying that a better approach > is to use a real HTML parser to remove unwanted tags. Take a look at a > module like HTML::Scrubber.
My best practice is simply to get mason to escape everything, by default[1]. Having to explicitly unescape things in order to let through an XSS attack is a very good idea, IMHO. -Dom [1] default_escape_flags => 'h' ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
