Preventing XSS

techcode has asked for the wisdom of the Perl Monks concerning the following question:

I thought I'm all settled with following code:

sub form {
    my $self = shift;
    my %params = @_;
    
    # I could use delete right?
    my $skip = array_to_hash($params{'skip_fields'}); # Array/ArrayRef
    
    my $q = $self->query();
    my %vars = $q->Vars();
    
    use HTML::Entities;
    foreach(keys %vars){
        next if $skip->{$_}; # Don't encode if it's in skip list 
        
        $vars{$_} = HTML::Entities::encode($vars{$_});
    }
    
    return \%vars;
}
[download]

But here is a problem. I use UTF-8 so that site would support Serbian (latin not cyrilic) so I end up with funky entities instead of letters like Š, Đ, Č, Ć and Ž.

Which when I hit preview I realised this site is doing too :)

Is there any other way to filter the input that would not do this? I dont want Š instead of Š in my forms ...

I believe it's ok to have those chars not encoded since I set both header and meta charset to utf-8.

Have you tried freelancing? Check out Scriptlance - I work there. For more info about Scriptlance and freelancing in general check out my home node.

Comment on Preventing XSS Download Code

Replies are listed 'Best First'.
Re: Preventing XSS by ikegami (Patriarch) on Sep 19, 2007 at 20:11 UTC
Sounds to me like you want `$vars{$_} = HTML::Entities::encode_entities($vars{$_}, '<>&"');` [download] Quote HTML::Entities, The default set of characters to encode are control chars, high-bit chars, and the `<`, `&`, `>`, `'` and `"` characters. But this, for example, would encode just the `<`, `&`, `>` and `"` characters: `$encoded = encode_entities($input, '<>&"');` [download] It converts plain text into tag-less HTML.	[reply] [d/l] [select]
Re^2: Preventing XSS (sg) by tye (Sage) on Sep 19, 2007 at 20:48 UTC
Note that I see no reason to encode quote characters here. It isn't like the result is being placed into an attribute value. (: And I probably wouldn't encode all ampersands since they are useful and rather low risk. If you are worried about the little-supported javascriptish ampersand stuff, then I'd only encode those ampersands. But I guess taking something useful away from users out of combined fear and laziness is not a shockingly rare result. Which leaves us with a couple of simple regexes and little reason to use a module: `s/&{/&{/g; s/</</g;` [download] - tye	[reply] [d/l]
Re: Preventing XSS by b10m (Vicar) on Sep 19, 2007 at 19:44 UTC
I'm afraid you don't get the concept of XSS. You're dealing with encoding/HTML Entity problems, which is bad, but completely different than XSS "protection". For XSS "protection", have a look at HTML::StripScripts, it works rather well :-) Update: after reading your post again, it does seem you want to prevent XSS attacks (by using HTML::Entities) yet you don't want your "crazy letters" to be lost ;-). I'm not sure HTML::Entities will bulletproof your script. Have a look at HTML::StripScripts, really. But experts my say HTML::Entities _is_ enough (I would love to hear opinions on this) -- b10m All code is usually tested, but rarely trusted.	[reply]
Re: Preventing XSS by andreas1234567 (Vicar) on Sep 20, 2007 at 11:05 UTC
The Open Web Application Security Project (OWASP) project has a good overview on the various aspects of Cross Site Scripting (XSS). Be sure to read the chapter on Data Validation, where strategies for validating data is discussed. -- Andreas	[reply]
Re: Preventing XSS by techcode (Hermit) on Sep 20, 2007 at 10:47 UTC
I ended up using what ikegami sugested + whitelist of allowed charactes in the fields. I needed to encode them since I print that back (HTML::FillInForm) together with error messages. So in Data::FormValidator I created additional constraints such as that ordinary fields should contain alphanums, underscore, minus, space and dot. Email obviosly takes out space and adds @, while URL's add : and / Have you tried freelancing? Check out Scriptlance - I work there. For more info about Scriptlance and freelancing in general check out my home node.	[reply]


go ahead... be a heretic
	PerlMonks