Apache::TaintRequest - HTML Escape tainted data to prevent CSS Attacks
use Apache::TaintRequest ();
sub handler {
my $r = shift;
$r = Apache::TaintRequest->new($r);
my $querystring = $r->query_string();
$r->print($querystring); # html is escaped...
$querystring =~ s/<script>//;
$r->print($querystring); # html is NOT escaped...
}
This code is derived from the Cookbook::TaintRequest module, available as part of "The mod_perl Developer's Cookbook".
One of the harder problems facing web developers involves dealing with potential cross site scripting attacks. Frequently this involves many calls to Apache::Util::escape_html().
This module aims to automate this tedious process. It overrides the print mechanism in the mod_perl Apache module. The new print method tests each chunk of text for taintedness. If it is tainted we assume the worst and html-escape it before printing.
Note that this module requires that you have the line
PerlTaintCheck on
in your httpd.conf. This may have other unintended side effects, so be warned.
perl(1), mod_perl(1), Apache(3), Taint
Paul Lindner <paul@modperlcookbook.org>
Geoffrey Young <geoff@modperlcookbook.org>
Randy Kobes <randy@modperlcookbook.org>
Copyright (c) 2001, Paul Lindner, Geoffrey Young, Randy Kobes.
All rights reserved.
This module is free software. It may be used, redistributed and/or modified under the same terms as Perl itself.
This code is derived from the Cookbook::TaintRequest module, available as part of "The mod_perl Developer's Cookbook".
For more information, visit http://www.modperlcookbook.org/
