David, I've tried a variety of constructs in my tests that I wouldn't consider safe, such as putting: unclosed tags forms 3rd party img src
and they all went through fine. I can't find anything that actually gets rejected. Anyways, this issue plus the error issue makes me think I should just do all validation manually. But I'm not sure how to do that. Thanks, johnk On 9/12/05, David Baird <[EMAIL PROTECTED]> wrote: > On 9/12/05, John Krystynak <[EMAIL PROTECTED]> wrote: > > I just installed CGI::Untaint::html, and I added a html => [col1 col2 col3]. > > > > __PACKAGE__->untaint_columns( > > html => [qw(address1 address2 city company country fax > > first last phone state\ > > postal_code)], > > integer => [qw(user)] > > ); > > > > When I run this, I get no errors. However, maybe it doesn't do what I > > think. I'm trying to prevent cross-scripting attacks by not allowing > > html in input fields, but I could put "<form><input="text"></form>" > > into the text input and have no complaints from untaint is_valid > > check. > > > > Is there an example somewhere that does this? Or perhaps I have to > > write code with a subroutine that calls $handler->extract( $col )?? > > From my cursory reading of the docs, the html handler does not ban > html, just certain dangerous constructs within html. Try putting in > something like that. > > d. > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Maypole-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/maypole-users > -- Check out my AdWords and Overture blog: http://gotads.blogspot.com ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Maypole-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/maypole-users
