NAME
Apache2::TaintRequest - HTML Escape tainted data to prevent CSS Attacks
SYNOPSIS
use Apache2::TaintRequest ();
sub handler { my $r = shift; $r = Apache2::TaintRequest->new($r);
my $querystring = $r->query_string();
$r->print($querystring); # html is escaped...
$querystring =~ s/<script>//;
$r->print($querystring); # html is NOT escaped...
}
DESCRIPTION
Note: This code is derived from the *Apache::TaintRequest*
module, available as part of "The mod_perl Developer's
Cookbook".
One of the harder problems facing web developers involves dealing with
potential cross site scripting attacks. Frequently this involves many
calls to HTML::Entities::escape_html().
This module aims to automate this tedious process. It overrides the
print mechanism in the mod_perl Apache module. The new print method
tests each chunk of text for taintedness. If it is tainted we assume the
worst and html-escape it before printing.
Note that this module requires that you have the line
PerlSwitches -T
in your httpd.conf. This may have other unintended side effects, so be
warned.
SEE ALSO
perl(1), mod_perl(1), Apache(3), Taint, Apache::TaintRequest
http://perl.apache.org/docs/2.0/user/porting/compat.html#C_PerlTaintChec
k_
AUTHORS
Fred Moyer <fred@redhotpenguin.com>
COPYRIGHT
Apache2::TaintRequest Copryright (c) 2012, Fred Moyer
Apache::TaintRequest Copyright (c) 2001, Paul Lindner, Geoffrey Young,
Randy Kobes.
All rights reserved.
This module is free software. It may be used, redistributed and/or
modified under the same terms as Perl itself.
HISTORY
This code is derived from the *Apache::TaintRequest* module, available
on the CPAN.