Re: [Pas-dev] perldoc perlre
Status: Beta
Brought to you by:
mortis
Menu
▾
▴
Re: [Pas-dev] perldoc perlre
|
From: Justin B. <ju...@le...> - 2002-05-20 18:29:31
|
Kyle R . Burton wrote:
>>Hey, I suck at this stuff. I've condensed this down from 4 nested ifs to
>>one. I'd like to go further, but
>>1. I'm not sure how
>>2. I'm not sure anybody'd be able to read it.
>>
>> # find the script, embed, applet and object tags anywhere in a
>> # query parameter and defang them. No original content is lost,
>> # so you can always decode_entities to restore the data.
>> if ($x =~ /(<\s*script[\s+?.*?>|>].*?\<\s*?\/script\s*?>)|
>> (<\s*embed[\s+?.*?>|>].*?\<\s*?\/embed\s*?>)|
>> (<\s*applet[\s+?.*?>|>].*?\<\s*?\/applet\s*?>)|
>> (<\s*object[\s+?.*?>|>].*?\<\s*?\/object\s*?>)/imx ){
>> $x = HTML::Entities::encode_entities($x);
>> $q->param($p,$x);
>> }
>> }
>
>
> How about something like:
>
> foreach my $paramName ( $q->param() ) {
> my @values = ();
> foreach my $value ( $q->param($paramName) ) {
> foreach my $badTag ( qw( script embed applet object ) ) {
> $value =~ s|<\s*($badTag\b.[^>]+)>(.*?)<(\s*?/$badTag\s*)>|<$1>$2<$3>|igms;
> }
> push @values, $value;
> }
> $q->param($paramName,@values);
> }
>
> Is that any more readable? That only hits the tags we're interested in
> defanging...
>
> Don't forget that you can have mulitple values for a CGI parameter.
how about this: make badTag configurable inside pas.conf. whatever the variable
will be named, returns an array. so if someone wants it for all HTML tags, they
just set the variable to '.*'. have that example & the 'script embed applet
object' example.
justin
|
