Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Best Module for Cross-Site Scripting ?

by gube (Parson)
on Aug 18, 2010 at 20:56 UTC ( #855910=perlquestion: print w/replies, xml ) Need Help??

gube has asked for the wisdom of the Perl Monks concerning the following question:


I used HTML::TagFilter. It filters the html tags. HTML::StripScripts::Parser is for striping the scripts also. Some one please suggest which module is good one ?

I need to get rid of orphan tags and from javascript injecting ?

Thanks, Gubs

Replies are listed 'Best First'.
Re: Best Module for Cross-Site Scripting ?
by pemungkah (Priest) on Aug 18, 2010 at 22:23 UTC
    You should make sure whatever solution you finally end up choosing can beat the XSS Cheat Sheet. That will require testing in a lot of different browsers on a lot of different machines.

    You should also seriously ask these questions:

    1. Do the users really need any markup at all?
    2. If they do, does it have to be HTML?
    3. If they do, can it be a very limited set of tags?
    You may find that you'll be able to choose a simpler means of filtering depending on your answers.
Re: Best Module for Cross-Site Scripting ?
by rowdog (Curate) on Aug 19, 2010 at 11:13 UTC

    You should be able to clean up the tags with one of the tidy or lint modules. As for avoiding JavaScript injection, my advice would be to skip HTML altogether and let the users use something like BBCode instead. You will also want to run the user input through something like HTML::Entities to escape any attempts at markup.

    Please be careful; it's very easy to screw up this kind of code with one little mistake.

Re: Best Module for Cross-Site Scripting ?
by duelafn (Vicar) on Aug 19, 2010 at 12:36 UTC

    The one time I actually needed to accept (and filter) HTML I used HTML::Scrubber and found it to be nice. However, all other times I simply use encode_entities($input, '<>&"'); from HTML::Entities (or an equivalent speedier sub).

    Good Day,

      I have also had very good experience with HTML::Scrubber. I use it entirely in "whitelist mode", so only the tags I want come through, and for those tags, only the attributes I want on them come through.

      One small drawback is that it does not check for the HTML being well-formed, e.g. if you send it HTML snippets with missing closing tags, those will come through as-is.


Re: Best Module for Cross-Site Scripting ?
by gube (Parson) on Aug 20, 2010 at 02:04 UTC
    Hi All, Thanks to everyone. I used HTML::TagFilter and passed allow_tags all my issues resolved. thanks, Gubs

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://855910]
Approved by Corion
Front-paged by Corion
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2020-12-02 07:56 GMT
Find Nodes?
    Voting Booth?
    How often do you use taint mode?

    Results (35 votes). Check out past polls.