[Yapcom] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
Shlomi Fish
shlomif at iglu.org.il
Mon Oct 16 22:28:57 IST 2006
Hi all!
I have a suggestion on how to eliminate XSS bugs for good. The HTML::Template
documentation for TMPL_VAR:
http://search.cpan.org/~samtregar/HTML-Template-2.8/Template.pm#TMPL_VAR
Reads:
<<<<
Optionally you can use the "ESCAPE=HTML" option in the tag to indicate that
you want the value to be HTML-escaped before being returned from output (the
old ESCAPE=1 syntax is still supported). This means that the ", <, >, and &
characters get translated into ", <, > and & respectively.
This is useful when you want to use a TMPL_VAR in a context where those
characters would cause trouble. Example:
>>>>
Now what I want is to sub-class HTML::Template so we'll always have to
use "ESCAPE=HTML". If we want to override it we'll need to do the following:
1. Wrap the string in a special object:
<<<<<
my $string_to_pass = "<h1>Hello</h1>";
my $string_to_pass_as_obj = YAPC::Template::PassThru->new($string_to_pass);
>>>>>
2. Explicitly unlock the object:
<<<<<<
$string_to_pass_as_obj->unlock("unlock");
>>>>>>
Note that unlock returns undef.
3. Add a special parameter to TMPL_VAR:
<<<<<<
<TMPL_VAR NAME="string_to_pass" PASSTHRU="1">
>>>>>>
-----------------
If we pass a simple string then we can only use the TMPL_VAR with
ESCAPE="HTML" added. We can also use ESCAPE="HTML" on an unlocked object.
So what do you say - should I start working on it?
Regards,
Shlomi Fish
---------------------------------------------------------------------
Shlomi Fish shlomif at iglu.org.il
Homepage: http://www.shlomifish.org/
Chuck Norris wrote a complete Perl 6 implementation in a day but then
destroyed all evidence with his bare hands, so no one will know his secrets.
More information about the Yapcom
mailing list