Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Re: XSS protection in CGI::Application

by skx (Parson)
on Mar 02, 2010 at 19:30 UTC ( #826239=note: print w/replies, xml ) Need Help??

in reply to XSS protection in CGI::Application

The way I'd solve this is to explicitly catch an unknown mode via:

my $self = shift; $self->run_modes( # default 'index' => 'index', # user's tag cloud 'tag_cloud' => 'tag_cloud', 'edit_tags' => 'edit_tags', 'tag_find' => 'tag_find', .. # called on unknown mode. 'AUTOLOAD' => 'unknown_mode', );

In your unknown mode you can then handle it as you wish - without echoing the mode back to the client and potentially allowing an XSS attack.

My own method is generally:

sub unknown_mode { my ( $self, $requested ) = (@_); my $q = $self->query(); my $session = $self->param('session'); my $username = $session->param('logged_in'); $requested = HTML::Entities::encode_entities($requested); if ( defined($username) && length($username) ) { return "<p>unknown mode '$requested' for logged in user $usern +ame</p>"; } else { return "<p>Unknown mode '$requested' for anonymous user.</p>"; } }

Obviously the username section is specific to the sites I design .. but the idea of handling the unknown mode yourself should be simple enough to understand?


Replies are listed 'Best First'.
Re^2: XSS protection in CGI::Application
by srdst13 (Pilgrim) on Mar 02, 2010 at 19:54 UTC

    This worked as expected. Thanks for the help.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://826239]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (7)
As of 2021-02-28 20:48 GMT
Find Nodes?
    Voting Booth?

    No recent polls found