From: Sven Neuhaus <sven-html-template@sv...> - 2006-11-24 15:52:06
I have opened a new bug (#23592) on rt.cpan.org for a new feature request:
The "force_untaint" option. This option makes sure that no tainted values
are set in the template.
If set to 1, only TMPL_VARs with no ESCAPE-attribute must be untainted,
if set to 2, every TMPL_VAR must be untainted.
I have attached a patch to the bug that implements this feature.
Please let me know what you think. I believe this would be very helpful in
preventing cross-site-scripting (CSS) bugs.
From: Sven Neuhaus <sven-html-template@sv...> - 2006-12-07 09:28:17
Sven Neuhaus wrote:
> The "force_untaint" option. This option makes sure that no tainted values
> are set in the template.
> Please let me know what you think. I believe this would be very helpful in
> preventing cross-site-scripting (CSS) bugs.
No feedback? :-(
I believe honoring perl's taint flag in HTML::Template is a more perlish and
natural solution to the XSS problem than the proposal by Shlomi Fish
("Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for
good."). Combine this with DBIs TaintIn-flag and it gets pretty hard to
accidentally leave XSS bugs in.
I've been using the patched version of HTML::Template for two weeks now
without problems. I have modified the 2nd patch slightly so it tells you
which parameter is tainted in some easy cases (like the first patch did).
Get latest updates about Open Source Projects, Conferences and News.