Masahiro Nagano > JavaScript-Value-Escape > JavaScript::Value::Escape

Download:
JavaScript-Value-Escape-0.06.tar.gz

Dependencies

Annotate this POD

CPAN RT

New  1
Open  0
View/Report Bugs
Module Version: 0.06   Source  

NAME ^

JavaScript::Value::Escape - Avoid XSS with JavaScript value interpolation

SYNOPSIS ^

  use JavaScript::Value::Escape;

  my $escaped = javascript_value_escape(q!&foo"bar'</script>!);
  # $escaped is "\u0026foo\u0022bar\u0027\u003c\/script\u003e"

  my $html_escaped = javascript_value_escape(Text::Xslate::Util::escape_html(q!&foo"bar'</script>!));

  print <<EOF;
  <script>
  var param = '$escaped';
  alert(param);

  document.write('$html_escaped');

  </script>
  EOF

DESCRIPTION ^

There are a lot of XSS, a security hole typically found in web applications, caused by incorrect (or lack of) JavaScript escaping. This module is aimed to provide a secure JavaScript escaping to avoid XSS with JavaScript values.

The escaping routine JavaScript::Value::Escape provides escapes q!"!, q!'!, q!&!, q!=!, q!-!, q!+!, q!;!, q!<!, q!>!, q!/!, q!\! and control characters to JavaScript unicode entities like "\u0026".

EXPORT FUNCTION ^

javascript_value_escape($value :Str) :Str

Escape a string. The argument of this function must be a text string (a.k.a. UTF-8 flagged string, Perl's internal form).

This is exported by default.

js($value :Str) :Str

Alias to javascript_value_escape() for convenience.

This is exported by your request.

AUTHOR ^

Masahiro Nagano <kazeburo {at} gmail.com>

THANKS TO ^

Fuji, Goro (gfx)

SEE ALSO ^

http://subtech.g.hatena.ne.jp/mala/20100222/1266843093 - About XSS caused by buggy JavaScript escaping for HTML script sections (Japanese)

http://blog.nomadscafe.jp/2010/11/htmlscript.html - Wrote a module (JavaScript::Value::Escape) to escape data for HTML script sections (Japanese)

RFC4627 - The application/json Media Type for JSON

LICENSE ^

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

syntax highlighting: