I know this has been kicked around before but I'm not having luck with Google searches. One discussion here: http://www.perlmonks.org/?node_id=224782
One developer at work has suggested applying HTML::Scrubber to all *input* in a web application. The idea is to prevent any possible dangerous HTML on input that may end up rendered on a page. I'm arguing that the correct approach is to use the html filter when rendering in templates. After all, the text provided by a user may not always be rendered as HTML. And blindly running HTML::Scrubber on all input sound a bit harsh. (There's a Catalyst plugn that does this brute-force method. Of course, just that it exists doesn't mean it's a good idea.) I don't miss a html filter very often, but it's not easy to enforce with new developers. As a result of that discussion was a question if it would be possible to automatically filter all text, but have a way to disable that. Or maybe blow up if not filtered at all (such as in the perl monks article above). Any recommended approaches? -- Bill Moseley [email protected]
_______________________________________________ templates mailing list [email protected] http://mail.template-toolkit.org/mailman/listinfo/templates
