Just Launched: You can now import projects and releases from Google Code onto SourceForge
We are excited to release new functionality to enable a 1-click import from Google Code onto the Allura platform on SourceForge. You can import tickets, wikis, source, releases, and more with a few simple steps. Read More
From: Sven Neuhaus <sven-html-template@sv...> - 2006-11-24 15:52:06
I have opened a new bug (#23592) on rt.cpan.org for a new feature request:
The "force_untaint" option. This option makes sure that no tainted values
are set in the template.
If set to 1, only TMPL_VARs with no ESCAPE-attribute must be untainted,
if set to 2, every TMPL_VAR must be untainted.
I have attached a patch to the bug that implements this feature.
Please let me know what you think. I believe this would be very helpful in
preventing cross-site-scripting (CSS) bugs.
From: Sven Neuhaus <sven-html-template@sv...> - 2006-12-07 09:28:17
Sven Neuhaus wrote:
> The "force_untaint" option. This option makes sure that no tainted values
> are set in the template.
> Please let me know what you think. I believe this would be very helpful in
> preventing cross-site-scripting (CSS) bugs.
No feedback? :-(
I believe honoring perl's taint flag in HTML::Template is a more perlish and
natural solution to the XSS problem than the proposal by Shlomi Fish
("Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for
good."). Combine this with DBIs TaintIn-flag and it gets pretty hard to
accidentally leave XSS bugs in.
I've been using the patched version of HTML::Template for two weeks now
without problems. I have modified the 2nd patch slightly so it tells you
which parameter is tainted in some easy cases (like the first patch did).