On Tue, Jan 22, 2002 at 09:25:15AM -0800, Paul Lindner wrote: > Hi, > > I thought it might be interesting to start a thread on cross-site > scripting attacks, since it seems that many people are not aware of > the risks involved. Has anyone noticed attacks on their applications? > Do you religiously check all input you get from form-submissions? > What techniques do you use to insure that your application is not > vulnerable?
I've been pondering a lot about this lately, since I find creating form validation routines very repetitive. So what I've come up with so far is (not yet finished): my $fields = { id => ['\d+', \&validation_sub ], text => ['(?:\w\s)+'] }; And I feed this along with the request or cgi object to a function that checks each key for first the simple regexp to see if it's worth trying the real validation function. My little system for doing this isn't All the variables that are passed through form fields into other pages goes through HTML::Entities' encode_entites function right before it's inserted in a template. -- Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/> mod_pointer <http://stderr.net/mod_pointer>