Re^2: default_escape for Template::Toolkit?

what do you do to prevent XSS reliably?

Sanitize user input using a accept known good only approach (link to owasp.com). I find Embperl::Form::Validate very useful, although there are many others as well.
Flip HTML::Mason's default_escape_flags so that if someone enters:
```
<script>load_malicious_javascript_from_hacker_site;</script>
[download]
```
into a text field in your blog, it is displayed verbatim rather than turned into executable code.

The OWASP Guide to Building Secure Web Applications version 3 draft is out. Is is certainly an interesting read for those concerned about web application security.

--
When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]

Comment on Re^2: default_escape for Template::Toolkit? Select or Download Code

Replies are listed 'Best First'.
Re^3: default_escape for Template::Toolkit? by moritz (Cardinal) on Apr 16, 2008 at 10:53 UTC
I think the question was directed at TT users. At least mine was. Flip HTML::Mason's default_escape_flags That's the point. TT doesn't seem to have such a flag (or at least nobody knows about it). HTML::Template and HTML::Mason (documented in HTML::Mason::Compiler have some default escaping mechanism. So what do the TT users do? I can't believe they never forget to escape something and therefore don't need a better solution.	[reply]
Re^4: default_escape for Template::Toolkit? by andreas1234567 (Vicar) on Apr 16, 2008 at 11:05 UTC
I agree that I have taken tinita's last question in Re: default_escape for Template::Toolkit? out of the original context. So what do the TT users do? I have no idea. Except consider how important such a feature is, and given it's important, switch to a templating system that supports it. -- When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]	[reply]