On Thu, May 06, 2010 at 08:14:03AM -0400, Michel Fortin wrote: > Le 2010-05-06 à 7:24, Louis-David Mitterrand a écrit : > > > Fortunately HTML::Scrubber allows denying specific attributes based on a > > regexp: > > > > 'href' => qr{^(?!(?:java)?script)}i, > > 'src' => qr{^(?!(?:java)?script)}i, > > etc. > > That's full of holes. Use a whitelist, not a blacklist. For instance, > it won't catch this:
I am using a whitelist, it was just an example. > > javascript:alert('XSS') > > or this: > > jav ascript:alert('XSS'); Good points. Perl users might want to HTML::Entities::decode($html) before using HTML::Scrubber > which will work, at least in some browsers! > > Here's a good reference about javascript attacks (not all cases will apply to > you, but a good reference nonetheless): > <http://ha.ckers.org/xss.html> Thanks, _______________________________________________ Markdown-Discuss mailing list Markdown-Discuss@six.pairlist.net http://six.pairlist.net/mailman/listinfo/markdown-discuss