[Yapcom] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
Shlomi Fish
shlomif at iglu.org.il
Tue Oct 17 12:04:18 IST 2006
On Tuesday 17 October 2006 07:21, Gabor Szabo wrote:
> I am not sure that this is the right solution at the right level.
> I think it is better to ask on HTML::Template mailing list how can one
> enforce "ESCAPE=HTML" on every tag from within H:T (especially when used
> from CGI::Application) and if that solves the XSS problem?
The problem with this is that we may wish to pass HTML fragments unescaped. So
we have to find a way to over-ride it for these exceptional cases, as I
illustrated.
>
> If you approach is a good solution it should not be done for YAPCOM only
> but either as a patch of H:T or as a separate module.
>
Right, that was my intention.
Regards,
Shlomi Fish
> Gabor
>
> On 10/16/06, Shlomi Fish <shlomif at iglu.org.il> wrote:
> > Hi all!
> >
> > I have a suggestion on how to eliminate XSS bugs for good. The
> > HTML::Template documentation for TMPL_VAR:
> >
> > http://search.cpan.org/~samtregar/HTML-Template-2.8/Template.pm#TMPL_VAR
> >
> > Reads:
> >
> > <<<<
> > Optionally you can use the "ESCAPE=HTML" option in the tag to indicate
> > that you want the value to be HTML-escaped before being returned from
> > output (the old ESCAPE=1 syntax is still supported). This means that the
> > ", <, >, and & characters get translated into ", <, > and
> > & respectively. This is useful when you want to use a TMPL_VAR in a
> > context where those characters would cause trouble. Example:
> >
> >
> > Now what I want is to sub-class HTML::Template so we'll always have to
> > use "ESCAPE=HTML". If we want to override it we'll need to do the
> > following:
> >
> > 1. Wrap the string in a special object:
> >
> > <<<<<
> > my $string_to_pass = "<h1>Hello</h1>";
> >
> > my $string_to_pass_as_obj =
> > YAPC::Template::PassThru->new($string_to_pass);
> >
> >
> > 2. Explicitly unlock the object:
> >
> > <<<<<<
> > $string_to_pass_as_obj->unlock("unlock");
> >
> >
> > Note that unlock returns undef.
> >
> > 3. Add a special parameter to TMPL_VAR:
> >
> > <<<<<<
> > <TMPL_VAR NAME="string_to_pass" PASSTHRU="1">
> >
> >
> > -----------------
> >
> > If we pass a simple string then we can only use the TMPL_VAR with
> > ESCAPE="HTML" added. We can also use ESCAPE="HTML" on an unlocked object.
> >
> > So what do you say - should I start working on it?
> >
> > Regards,
> >
> > Shlomi Fish
> >
> > ---------------------------------------------------------------------
> > Shlomi Fish shlomif at iglu.org.il
> > Homepage: http://www.shlomifish.org/
> >
> > Chuck Norris wrote a complete Perl 6 implementation in a day but then
> > destroyed all evidence with his bare hands, so no one will know his
> > secrets. _______________________________________________
> > For details see http://yapcom.pti.co.il/
> > Yapcom mailing list
> > Yapcom at perl.org.il
> > http://perl.org.il/mailman/listinfo/yapcom
--
---------------------------------------------------------------------
Shlomi Fish shlomif at iglu.org.il
Homepage: http://www.shlomifish.org/
Chuck Norris wrote a complete Perl 6 implementation in a day but then
destroyed all evidence with his bare hands, so no one will know his secrets.
More information about the Yapcom
mailing list