Re: [Catalyst] HTML encoding parameters
Good evening, On 28/06/14 at 8:13 PM -0700, bill hauck wbha...@yahoo.com wrote: Is there a module that does this to all parameters at once? You want one of these (there are more on cpan too): https://metacpan.org/pod/HTML::Scrubber https://metacpan.org/pod/HTML::Lint Charlie -- Charlie Garrison garri...@zeta.org.au PO Box 141, Windsor, NSW 2756, Australia O ascii ribbon campaign - stop html mail - www.asciiribbon.org http://www.ietf.org/rfc/rfc1855.txt ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] HTML encoding parameters
I've had really good results with HTML::StripScripts::Parser, you can set allowed tags, attributes and stop JavaScript injection. You can also set allowed attributes on certain tags only, it's really flexible On 29 Jun 2014 05:14, bill hauck wbha...@yahoo.com wrote: Hi. Please forgive me if this is an easy one. It's late and I haven't found any mention of it. I'd like to encode form fields so that only the standard bold, italic, underline, list, etc. are allowed and and script, style, etc. tags are encoded. Also, I'd like to only let the base tags through and no attributes so setting an onmouseover in a paragraph is encoded. Basically I'm trying to avoid XSS and other nastiness. Is there a module that does this to all parameters at once? Do i simply need to do it to each paramter I accept? For now I've been adding the html filter in my Template Toolkit templates, but that's a pain and relies on each output field filtering. I'd like to encode before storing the data in the database so it's safe no matter how it's presented. Any help is appreciated. Thanks, bill ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] HTML encoding parameters
Hi. Please forgive me if this is an easy one. It's late and I haven't found any mention of it. I'd like to encode form fields so that only the standard bold, italic, underline, list, etc. are allowed and and script, style, etc. tags are encoded. Also, I'd like to only let the base tags through and no attributes so setting an onmouseover in a paragraph is encoded. Basically I'm trying to avoid XSS and other nastiness. Is there a module that does this to all parameters at once? Do i simply need to do it to each paramter I accept? For now I've been adding the html filter in my Template Toolkit templates, but that's a pain and relies on each output field filtering. I'd like to encode before storing the data in the database so it's safe no matter how it's presented. Any help is appreciated. Thanks, bill___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/