JavaScript::Value::Escape - Avoid XSS with JavaScript value interpolation
use JavaScript::Value::Escape; my $escaped = javascript_value_escape(q!&foo"bar'</script>!); # $escaped is "\u0026foo\u0022bar\u0027\u003c\/script\u003e" my $html_escaped = javascript_value_escape(Text::Xslate::Util::escape_html(q!&foo"bar'</script>!)); print <<EOF; <script> var param = '$escaped'; alert(param); document.write('$html_escaped'); </script> EOF
There are a lot of XSS, a security hole typically found in web applications, caused by incorrect (or lack of) JavaScript escaping. This module is aimed to provide a secure JavaScript escaping to avoid XSS with JavaScript values.
The escaping routine JavaScript::Value::Escape provides escapes q!"!, q!'!, q!&!, q!=!, q!-!, q!+!, q!;!, q!<!, q!>!, q!/!, q!\! and control characters to JavaScript unicode entities like "\u0026".
Escape a string. The argument of this function must be a text string (a.k.a. UTF-8 flagged string, Perl's internal form).
This is exported by default.
Alias to javascript_value_escape() for convenience.
javascript_value_escape()
This is exported by your request.
Masahiro Nagano <kazeburo {at} gmail.com>
Fuji, Goro (gfx)
http://subtech.g.hatena.ne.jp/mala/20100222/1266843093 - About XSS caused by buggy JavaScript escaping for HTML script sections (Japanese)
http://blog.nomadscafe.jp/2010/11/htmlscript.html - Wrote a module (JavaScript::Value::Escape) to escape data for HTML script sections (Japanese)
RFC4627 - The application/json Media Type for JSON
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
To install JavaScript::Value::Escape, copy and paste the appropriate command in to your terminal.
cpanm
cpanm JavaScript::Value::Escape
CPAN shell
perl -MCPAN -e shell install JavaScript::Value::Escape
For more information on module installation, please visit the detailed CPAN module installation guide.