You should say the applications are not INTENTIONALLY exposed to the
outside world. What you intend and what actually happens are two
different things. Defense in depth is your friend.
Besides using Taint mode + roll-your-own regexes, there are a plethora
of modules for cleaning input on CPAN, some better than others.
* HTML::FormHandler
<http://search.cpan.org/%7Egshank/HTML-FormHandler-0.40056/lib/HTML/FormHandler.pm>
* Params::Check
<http://search.cpan.org/author/KANE/Params-Check-0.03/lib/Params/Check.pm>
* Params::Validate
<http://search.cpan.org/author/DROLSKY/Params-Validate-0.59/lib/Params/Validate.pm>
* Data::FormValidator
<http://search.cpan.org/author/MARKSTOS/Data-FormValidator-3.11/lib/Data/FormValidator.pm>
* CGI::Untaint
<http://search.cpan.org/author/TMTM/CGI-Untaint-0.90/lib/CGI/Untaint.pm>
* CGI::Validate
<http://search.cpan.org/author/ZENIN/CGI-Validate-2.000/Validate.pm>
* CGI::ArgChecker
<http://search.cpan.org/author/DLOWE/CGI-ArgChecker-0.02/ArgChecker.pm>
FYI Just because a module is in the CGI namespace doesn't mean you have
to be running your application as a CGI to use it.
Another approach is to use Moose
<http://search.cpan.org/%7Eether/Moose-2.1204/lib/Moose.pm> and let it
check the arguments you pass to it (which is what HTML::FormHandler does).
You might also check out Task::Kensho::WebDev
<http://search.cpan.org/%7Eether/Task-Kensho-WebDev-0.36/lib/Task/Kensho/WebDev.pm>
On 03/13/2014 01:09 PM, Shane McCarron wrote:
Okay, this is probably a stupid question. I have been using Mason (1)
forever. I have a number of applications deployed using it. I have
never really worried about XSS attacks or input cleaning, but one of my
customers reminded me today that because of this it could be relatively
easy for people to, for example, inject scripts into a page.
Normally I don't care. These applications are not exposed to the
outside world. But is there a nice, simple way that people are
sanitizing their Mason arguments on the way in to reduce the risk of
this sort of thing?
--
Shane McCarron
halindr...@gmail.com <mailto:halindr...@gmail.com>
On 03/13/2014 01:09 PM, Shane McCarron wrote:
Okay, this is probably a stupid question. I have been using Mason (1)
forever. I have a number of applications deployed using it. I have
never really worried about XSS attacks or input cleaning, but one of
my customers reminded me today that because of this it could be
relatively easy for people to, for example, inject scripts into a page.
Normally I don't care. These applications are not exposed to the
outside world. But is there a nice, simple way that people are
sanitizing their Mason arguments on the way in to reduce the risk of
this sort of thing?
--
Shane McCarron
halindr...@gmail.com <mailto:halindr...@gmail.com>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users
------------------------------------------------------------------------------
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users
