>>>>> On 11 Mar 2003 10:58:01 +0200, Clinton Gormley <[EMAIL PROTECTED]> said:
CG> On Tue, 2003-03-11 at 06:03, Stas Bekman wrote: CG> Changes since 0.7 CG> * prevent cross-site scripting, now HTML-escaping the request field CG> In Stas' Apache::VMonitor announcement, he mentions changes to CG> prevent cross site scripting. CG> This is a concern for me at the moment, because I'm building a CG> site which will allow people to submit copy (to be displayed to CG> other users) and I would like them to be able to use HTML and CG> include links to other sites (much like slashdot). CG> Do any of you have any ideas about good techniques to prevent CSS CG> (and I don't mean those <div> elements) in this scenario? Limit HTML to some safe subset and use HTML::TagFilter to enforce it. Make sure that you don't allow tag attributes which allow running javascript (like onclick, onchange, etc). The only problem with HTML::TagFilter I see is that it doesn't support restricting schemas in URIs. You definetely should not allow links like <a href="javascript:something"> But maybe it is possible to extend HTML::TagFilter to do this too. -- Ilya Martynov, [EMAIL PROTECTED] CTO IPonWEB (UK) Ltd Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net Personal website - http://martynov.org
