Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Catalyst>
  3. Users
HTML encoding parameters
wbhauck at yahoo
Jun 28, 2014, 8:13 PM
Post #1 of 3 (1512 views)
Permalink
Hi.

Please forgive me if this is an easy one.  It's late and I haven't found any mention of it.

I'd like to encode form fields so that only the standard bold, italic, underline, list, etc. are allowed and and script, style, etc. tags are encoded.  Also, I'd like to only let the base tags through and no attributes so setting an onmouseover in a paragraph is encoded.  Basically I'm trying to avoid XSS and other nastiness.

Is there a module that does this to all parameters at once?  Do i simply need to do it to each paramter I accept?  For now I've been adding the html filter in my Template Toolkit templates, but that's a pain and relies on each output field filtering.  I'd like to encode before storing the data in the database so it's safe no matter how it's presented.

Any help is appreciated.

Thanks,

bill
Re: HTML encoding parameters [ In reply to ]
garrison at zeta
Jun 29, 2014, 3:37 AM
Post #2 of 3 (1506 views)
Permalink
Good evening,

On 28/06/14 at 8:13 PM -0700, bill hauck <wbhauck@yahoo.com> wrote:

>Is there a module that does this to all parameters at once?

You want one of these (there are more on cpan too):

https://metacpan.org/pod/HTML::Scrubber
https://metacpan.org/pod/HTML::Lint


Charlie

--
Charlie Garrison <garrison@zeta.org.au>
PO Box 141, Windsor, NSW 2756, Australia

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
http://www.ietf.org/rfc/rfc1855.txt


_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: HTML encoding parameters [ In reply to ]
m at rkellis
Jun 29, 2014, 7:12 AM
Post #3 of 3 (1497 views)
Permalink
I've had really good results with HTML::StripScripts::Parser, you can set
allowed tags, attributes and stop JavaScript injection. You can also set
allowed attributes on certain tags only, it's really flexible
On 29 Jun 2014 05:14, "bill hauck" <wbhauck@yahoo.com> wrote:

> Hi.
>
> Please forgive me if this is an easy one. It's late and I haven't found
> any mention of it.
>
> I'd like to encode form fields so that only the standard bold, italic,
> underline, list, etc. are allowed and and script, style, etc. tags are
> encoded. Also, I'd like to only let the base tags through and no
> attributes so setting an onmouseover in a paragraph is encoded. Basically
> I'm trying to avoid XSS and other nastiness.
>
> Is there a module that does this to all parameters at once? Do i simply
> need to do it to each paramter I accept? For now I've been adding the html
> filter in my Template Toolkit templates, but that's a pain and relies on
> each output field filtering. I'd like to encode before storing the data in
> the database so it's safe no matter how it's presented.
>
> Any help is appreciated.
>
> Thanks,
>
> bill
>
>
>
>
>
>
>
>
> _______________________________________________
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal