Re: [Pas-dev] for better or worse, XSS filtering is here
Status: Beta
Brought to you by:
mortis
Menu
▾
▴
Re: [Pas-dev] for better or worse, XSS filtering is here
|
From: Kyle R . B. <mo...@vo...> - 2002-05-22 22:03:09
|
> Also, what about the possibility of malicious code in the query parameter
> names themselves?
Ok, I'm about to check in a changed version of the function. The changes
include support for defanging the query parameter names, and it accounts
for multiple values for a query parameter. It also uses the logging to
log a warning that includes the remote addr (not completely reliable, but
better than nothing).
Kyle
==>
my $scriptingRegex =
qr/(<\s*script[\s+?.*?>|>].*?\<\s*?\/script\s*?>)|
(<\s*embed[\s+?.*?>|>].*?\<\s*?\/embed\s*?>)|
(<\s*applet[\s+?.*?>|>].*?\<\s*?\/applet\s*?>)|
(<\s*object[\s+?.*?>|>].*?\<\s*?\/object\s*?>)/imx;
sub inspect_request
{
my ($q) = @_;
my @badParameters = ();
foreach my $p ($q->param()){
if ($p =~ $scriptingRegex ) {
$log->warn("possible XSS attack found while scrubbing ",
"parameter names: '$p' REMOTE_ADDR: ",$ENV{'REMOTE_ADDR'}
);
push @badParameters, $p;
}
}
foreach my $badParam (@badParameters) {
my @values = $q->param($badParam);
$q->delete($badParam);
my $p = HTML::Entities::encode_entities($badParam);
$q->param($p,@values);
}
foreach my $p ($q->param()){
my @x = $q->param($p);
foreach my $x ( @x ) {
if ($x =~ $scriptingRegex ) {
$log->warn("possible XSS attack found while scrubbing ",
"parameter values: '$p' => '$x' REMOTE_ADDR: ",$ENV{'REMOTE_ADDR'}
);
$x = HTML::Entities::encode_entities($x);
#$q->param($p,$x);
}
}
$q->param($p,@x);
}
return $q;
}
--
------------------------------------------------------------------------------
Wisdom and Compassion are inseparable.
-- Christmas Humphreys
mo...@vo... http://www.voicenet.com/~mortis
------------------------------------------------------------------------------
|
