Paul Lindner > Apache-TaintRequest-0.10 > Apache::TaintRequest

Download:
Apache-TaintRequest-0.10.tar.gz

Dependencies

Annotate this POD

View/Report Bugs
Module Version: 0.10   Source  

NAME ^

Apache::TaintRequest - HTML Escape tainted data to prevent CSS Attacks

SYNOPSIS ^

  use Apache::TaintRequest ();

  sub handler {
    my $r = shift;
    $r = Apache::TaintRequest->new($r);

    my $querystring = $r->query_string();
    $r->print($querystring);   # html is escaped...

    $querystring =~ s/<script>//;
    $r->print($querystring);   # html is NOT escaped...
  }

DESCRIPTION ^

Note:

This code is derived from the Cookbook::TaintRequest module, available as part of "The mod_perl Developer's Cookbook".

One of the harder problems facing web developers involves dealing with potential cross site scripting attacks. Frequently this involves many calls to Apache::Util::escape_html().

This module aims to automate this tedious process. It overrides the print mechanism in the mod_perl Apache module. The new print method tests each chunk of text for taintedness. If it is tainted we assume the worst and html-escape it before printing.

Note that this module requires that you have the line

  PerlTaintCheck on

in your httpd.conf. This may have other unintended side effects, so be warned.

SEE ALSO ^

perl(1), mod_perl(1), Apache(3), Taint

AUTHORS ^

Paul Lindner <paul@modperlcookbook.org>

Geoffrey Young <geoff@modperlcookbook.org>

Randy Kobes <randy@modperlcookbook.org>

COPYRIGHT ^

Copyright (c) 2001, Paul Lindner, Geoffrey Young, Randy Kobes.

All rights reserved.

This module is free software. It may be used, redistributed and/or modified under the same terms as Perl itself.

HISTORY ^

This code is derived from the Cookbook::TaintRequest module, available as part of "The mod_perl Developer's Cookbook".

For more information, visit http://www.modperlcookbook.org/

syntax highlighting: