On 9/12/05, John Krystynak <[EMAIL PROTECTED]> wrote: > I just installed CGI::Untaint::html, and I added a html => [col1 col2 col3]. > > __PACKAGE__->untaint_columns( > html => [qw(address1 address2 city company country fax > first last phone state\ > postal_code)], > integer => [qw(user)] > ); > > When I run this, I get no errors. However, maybe it doesn't do what I > think. I'm trying to prevent cross-scripting attacks by not allowing > html in input fields, but I could put "<form><input="text"></form>" > into the text input and have no complaints from untaint is_valid > check. > > Is there an example somewhere that does this? Or perhaps I have to > write code with a subroutine that calls $handler->extract( $col )??
>From my cursory reading of the docs, the html handler does not ban html, just certain dangerous constructs within html. Try putting in something like that. d. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Maypole-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/maypole-users
