On Monday 28 September 2009 23:51:18 Bill Moseley wrote: > I know this has been kicked around before but I'm not having luck with > Google searches. One discussion here: > http://www.perlmonks.org/?node_id=224782 > > One developer at work has suggested applying HTML::Scrubber to all *input* > in a web application. The idea is to prevent any possible dangerous HTML > on input that may end up rendered on a page. > > I'm arguing that the correct approach is to use the html filter when > rendering in templates. After all, the text provided by a user may not > always be rendered as HTML. > And blindly running HTML::Scrubber on all input sound a bit harsh. > (There's a Catalyst plugn that does this brute-force method. Of course, > just that it exists doesn't mean it's a good idea.) I don't miss a html > filter very often, but it's not easy to enforce with new developers. > > As a result of that discussion was a question if it would be possible to > automatically filter all text, but have a way to disable that. Or maybe > blow up if not filtered at all (such as in the perl monks article above). > > Any recommended approaches?
Some time ago I've _almost_ implemented taint mode for Template::Toolkit; it was not that hard, really. The method involved passing a special object with overloaded contatenation operator as template output and checking concatenated strings (that are, in the end, template variables or something using them) for taintedness. If you taint all user input (using Taint::Runtime, maybe a hacked CGI that does that), untaint output of 'safe' filters (html, uri), _and_ have a decent testsuite (the thing we lacked back then, that's why I've dropped the idea), you could make sure you have no XSS-like errors. <captain obvious mode> HTML::Scrubbing user input seems like a wrong thing to do, unless what you do is a publication interface: generally, you don't want even non-dangerous tags (<h1> ;-) from user input rendred on your page; and you'd frustrate users by "spoiling" their data. -- Alexey A. Kiritchun Yandex, search systems department SERP team lead _______________________________________________ templates mailing list [email protected] http://mail.template-toolkit.org/mailman/listinfo/templates
