Hi,
I just have commited a two fixes for possible security problems to the
Embperl CVS, which Dirk Lutzebaeck pointed out.
- New $escmode (or EMBPERL_ESCMODE) to disable the possiblilty
to turn off escaping with a leading backslash. Adding 4 to
any escmode will cause Embperl to do no special processing
on the backslash. This is mainly to avoid problems with
cross site scripting issuse, where people are able to enter
aribtary HTML.
- Characters between 128 and 159 are all HTML escaped now to
avoid problems with buggy browser, which were reported to
treat the chars 139 and 141 as < and >.
The default for escmode is still 3, which means insecure in this context. I
have left it at this value, to not break existing scripts, but from a
security point of view, it would be better to make the default 7, in which
case the HTML escaping could not be disabled by a leading backslash.
Any comments?
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: richter@ecos.de Voice: +49 6133 925151
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------
I just have commited a two fixes for possible security problems to the
Embperl CVS, which Dirk Lutzebaeck pointed out.
- New $escmode (or EMBPERL_ESCMODE) to disable the possiblilty
to turn off escaping with a leading backslash. Adding 4 to
any escmode will cause Embperl to do no special processing
on the backslash. This is mainly to avoid problems with
cross site scripting issuse, where people are able to enter
aribtary HTML.
- Characters between 128 and 159 are all HTML escaped now to
avoid problems with buggy browser, which were reported to
treat the chars 139 and 141 as < and >.
The default for escmode is still 3, which means insecure in this context. I
have left it at this value, to not break existing scripts, but from a
security point of view, it would be better to make the default 7, in which
case the HTML escaping could not be disabled by a leading backslash.
Any comments?
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: richter@ecos.de Voice: +49 6133 925151
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------