On Tue, Jan 22, 2002 at 09:25:15AM -0800, Paul Lindner wrote:
> Hi,
>
> I thought it might be interesting to start a thread on cross-site
> scripting attacks, since it seems that many people are not aware of
> the risks involved. Has anyone noticed attacks on their applications?
> Do you religiously check all input you get from form-submissions?
> What techniques do you use to insure that your application is not
> vulnerable?
I've been pondering a lot about this lately, since I find creating
form validation routines very repetitive. So what I've come up with
so far is (not yet finished):
my $fields = {
id => ['\d+', \&validation_sub ],
text => ['(?:\w\s)+']
};
And I feed this along with the request or cgi object to a function
that checks each key for first the simple regexp to see if it's worth
trying the real validation function.
My little system for doing this isn't
All the variables that are passed through form fields into other pages
goes through HTML::Entities' encode_entites function right before it's
inserted in a template.
--
Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
mod_pointer <http://stderr.net/mod_pointer>
