Thread: [htmltmpl] Sanitizing data against HTML::Template tags
Brought to you by:
samtregar
From: Justin S. <ju...@sk...> - 2008-03-27 10:43:48
|
Here's one for everyone: I'm receiving data from $Untrusted_Source, that may have malicious code, in the form of H::T tags that I'd like to simply sanitize by munging it enough that it won't parse when run through H::T, but won't *break* H::T as well. Can anyone think of a simple-ish regex to do this? Something like: my $untrusted = <STDIN>; # (or, where ever) $untrusted =~ s{<!-- tmpl_}{<!-- BREAK tmpl_}gi; $untrusted =~ s{<tmpl_}{<BREAK tmpl_}gi; That may be all there is to it - am I missing some menacing edge case? -- Justin Simoni http://justinsimoni.com :: Art Portfolio |
From: Alex T. <al...@ac...> - 2008-03-27 14:19:48
|
Yes, you are forgetting all the closing tags. Another option would be to just eval the code as passed to a test HT object. If it breaks HT you can catch it from the eval. HTH, Alex On Thu, 27 Mar 2008 04:43:41 -0600, Justin Simoni wrote > Here's one for everyone: > > I'm receiving data from $Untrusted_Source, that may have malicious > code, in the form of H::T tags that I'd like to simply sanitize by > munging it enough that it won't parse when run through H::T, but > won't *break* H::T as well. > > Can anyone think of a simple-ish regex to do this? Something like: > > my $untrusted = <STDIN>; # (or, where ever) > $untrusted =~ s{<!-- tmpl_}{<!-- BREAK tmpl_}gi; > $untrusted =~ s{<tmpl_}{<BREAK tmpl_}gi; > > That may be all there is to it - am I missing some menacing edge case? > > -- > > Justin Simoni > > http://justinsimoni.com :: Art Portfolio > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Html-template-users mailing list > Htm...@li... > https://lists.sourceforge.net/lists/listinfo/html-template-users |
From: Justin S. <ju...@sk...> - 2008-03-27 20:29:25
|
On Mar 27, 2008, at 8:19 AM, Alex Teslik wrote: > Yes, you are forgetting all the closing tags Ah! You are right. Anything else? I'll have to check the docs to see if I can't apply a filter to the template after being filled out - it would be fun to then re-set the tags I just broke. >J On Mar 27, 2008, at 8:19 AM, Alex Teslik wrote: > Yes, you are forgetting all the closing tags. > > Another option would be to just eval the code as passed to a test HT > object. > If it breaks HT you can catch it from the eval. > > HTH, > Alex > > > On Thu, 27 Mar 2008 04:43:41 -0600, Justin Simoni wrote >> Here's one for everyone: >> >> I'm receiving data from $Untrusted_Source, that may have malicious >> code, in the form of H::T tags that I'd like to simply sanitize by >> munging it enough that it won't parse when run through H::T, but >> won't *break* H::T as well. >> >> Can anyone think of a simple-ish regex to do this? Something like: >> >> my $untrusted = <STDIN>; # (or, where ever) >> $untrusted =~ s{<!-- tmpl_}{<!-- BREAK tmpl_}gi; >> $untrusted =~ s{<tmpl_}{<BREAK tmpl_}gi; >> >> That may be all there is to it - am I missing some menacing edge >> case? >> >> -- >> >> Justin Simoni >> >> http://justinsimoni.com :: Art Portfolio >> >> ------------------------------------------------------------------------- >> Check out the new SourceForge.net Marketplace. >> It's the best place to buy or sell services for >> just about anything Open Source. >> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace >> _______________________________________________ >> Html-template-users mailing list >> Htm...@li... >> https://lists.sourceforge.net/lists/listinfo/html-template-users > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Html-template-users mailing list > Htm...@li... > https://lists.sourceforge.net/lists/listinfo/html-template-users > |
From: Mike M. <mac...@ya...> - 2008-04-08 21:17:24
|
If you want to be sure not break a template this might be embedded into you'll need to take care of the </TMPL...> tags in the untrusted input as well. --Mike MacKenzie --- Justin Simoni <ju...@sk...> wrote: > Here's one for everyone: > > I'm receiving data from $Untrusted_Source, that may have malicious > code, in the form of H::T tags that I'd like to simply sanitize by > munging it enough that it won't parse when run through H::T, but won't > *break* H::T as well. > > Can anyone think of a simple-ish regex to do this? Something like: > > my $untrusted = <STDIN>; # (or, where ever) > $untrusted =~ s{<!-- tmpl_}{<!-- BREAK tmpl_}gi; > $untrusted =~ s{<tmpl_}{<BREAK tmpl_}gi; > > That may be all there is to it - am I missing some menacing edge case? > > -- > > Justin Simoni > > http://justinsimoni.com :: Art Portfolio > > > > > > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Html-template-users mailing list > Htm...@li... > https://lists.sourceforge.net/lists/listinfo/html-template-users > ____________________________________________________________________________________ You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com |