Mark P Sullivan > String-EscapeCage-0.02 > String::EscapeCage

Download:
String-EscapeCage-0.02.tar.gz

Dependencies

Annotate this POD (1)

CPAN RT

Open  0
View/Report Bugs
Module Version: 0.02   Source  

NAME ^

String::EscapeCage - Cage and escape strings to prevent injection attacks

VERSION ^

Version 0.02

SYNOPSIS ^

The String::EscapeCage module puts dangerous strings in a cage. It eases escaping to various encodings, helps developers track what data are dangerous, and prevents injection attacks.

    use String::EscapeCage qw( cage uncage escapehtml );

    my $name = cage $cgi->param('name');
    print "Hello, ", $name, "\n";  # croaks to avoid HTML injection attack
    print "Hello, ", escapehtml $name, "\n";  # nice and safe
    print "Hello, ", uncage $name, "\n";  # remove protection

DESCRIPTION ^

After the cage function cages a string, the uncage method releases it and escapehtml, escapecstring, etc methods safely escape (transform) it. If an application cages all user-supplied strings, then a run-time exception will prevent application code from accidentally allowing an SQL, shell, cross-site scripting, cat -v, etc injection attack. String::EscapeCage's paranoia can be adjusted for development. The concept is similar to "tainted" data, but is implemented by "overload"ing the '""' stringify method on blessed scalar references.

By default String::EscapeCage does not export any subroutines. The subroutines are (available for import and/or as methods):

cage STRING / new STRING

Return a new EscapeCage object holding the given string. cage is only available as an exported function; new is only available as a class method.

uncage CAGE

Returns the string that had been "caged" in the given EscapeCage object. It will be untainted, since you presumably know what you're doing with it. Available as an exported function or an object method.

re CAGE REGEXP

Applies the REGEXP to the string that had been "caged", taking the place of the regular expression binding operator =~.

I want to overload =~ and let an EscapeCage uncage and untaint itself just as if it were a tainted strings, but overload doesn't support =~. So, this is an ugly work-around to get a little brevity and to mark points for when we figure out overloading. Doesn't set the (implicitly local()ized) numbered match variables (eg $1) the way you want.

escapecstring CAGE

Returns the C-string-escaped transformation of the string that had been "caged" in the given EscapeCage object. It will be untainted, since it should be safe to print now. Available as an exported function or an object method.

escapepercent CAGE

Returns the URL percent-escaped transformation of the string that had been "caged" in the given EscapeCage object. It will be untainted, since it should be safe to print now. Available as an exported function or an object method.

ADDING STRING::ESCAPECAGE TO AN EXISTING PROJECT ^

CAVEATS ^

COMPARISON WITH TAINT ^

BUGS ^

Please report any bugs or feature requests to bug-escapecage at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=String-EscapeCage. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

TODO ^

AUTHOR ^

    Mark P Sullivan
    CPAN ID: msulliva
    Zeroth Solutions

COPYRIGHT ^

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

The full text of the license can be found in the LICENSE file included with this module.

SEE ALSO ^

taint in perlsec, Apache::TaintRequest

syntax highlighting: