I've had really good results with HTML::StripScripts::Parser, you can set
allowed tags, attributes and stop JavaScript injection. You can also set
allowed attributes on certain tags only, it's really flexible
On 29 Jun 2014 05:14, bill hauck wbha...@yahoo.com wrote:
Hi.
Please forgive me if this is an easy one. It's late and I haven't found
any mention of it.
I'd like to encode form fields so that only the standard bold, italic,
underline, list, etc. are allowed and and script, style, etc. tags are
encoded. Also, I'd like to only let the base tags through and no
attributes so setting an onmouseover in a paragraph is encoded. Basically
I'm trying to avoid XSS and other nastiness.
Is there a module that does this to all parameters at once? Do i simply
need to do it to each paramter I accept? For now I've been adding the html
filter in my Template Toolkit templates, but that's a pain and relies on
each output field filtering. I'd like to encode before storing the data in
the database so it's safe no matter how it's presented.
Any help is appreciated.
Thanks,
bill
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/