Re: [htmltmpl] Patch for new option "force_untaint" - comments?
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] Patch for new option "force_untaint" - comments?
|
From: Sven N. <sve...@sv...> - 2006-12-07 09:28:17
|
Sven Neuhaus wrote:
> The "force_untaint" option. This option makes sure that no tainted values
> are set in the template.
> [...]
> Please let me know what you think. I believe this would be very helpful in
> preventing cross-site-scripting (CSS) bugs.
No feedback? :-(
I believe honoring perl's taint flag in HTML::Template is a more perlish and
natural solution to the XSS problem than the proposal by Shlomi Fish
("Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for
good."). Combine this with DBIs TaintIn-flag and it gets pretty hard to
accidentally leave XSS bugs in.
I've been using the patched version of HTML::Template for two weeks now
without problems. I have modified the 2nd patch slightly so it tells you
which parameter is tainted in some easy cases (like the first patch did).
-Sven
|
