Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: XSS Protection in cgi application

by haj (Vicar)
on Nov 03, 2021 at 15:34 UTC ( [id://11138387]=note: print w/replies, xml ) Need Help??


in reply to XSS Protection in cgi application

Some general rules:
  • Don't try to identify malicious content. Identify valid content for your fields, and discard everything else. A field named "store" is unlikely to require any of the critical characters <>&.
  • If you include form fields in a response, you need to HTML-escape them as you would for your own texts. HTML-encoding "&lt" is different from URL-encoding "%3C". If you build href or other URL attributes, you need to apply both encodings on top of each other.
  • Be aware that attackers don't use a browser to construct their URLs. Validating form fields with HTML data types or JavaScript is nice for convenience, but doesn't help for your application's security.

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11138387]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (6)
As of 2024-04-23 15:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found