[cgiapp] Persistence
Dan Horne
dan.horne at redbone.co.nz
Fri Feb 8 14:58:12 EST 2008
o
> From: Michael Peters
> Sent: Saturday, 9 February 2008 4:28 a.m.
> To: CGI Application
> Subject: Re: [cgiapp] Persistence
>
>
>
> Ron Savage wrote:
> > On Wed, 2008-02-06 at 17:16 -0500, Michael Peters wrote:
> >
> > Hi Michael
> >
> >> This is why escaping any data that could potentially come from a user
> is so
> >> important.
> >
> > Not just escaping. OP should be warned that server code cannot just rely
> > on Javascript-base validation. Someone might disable Javascript and
> > sumbit something nasty. That means the validation should be duplicated
> > on the server too. And yes, that's a PITA.
>
> Very true. In fact, I almost never do Javascript validation because of
> this. Why
> duplicate my effort? But, it's important to remember that unless you're
> allowing
> your users to submit HTML or JS code, validation is not what prevents XSS.
> It's
> output encoding:
>
> http://www.oreillynet.com/onlamp/blog/2005/10/repeat_after_me_lack_of__out
> pu.html
>
Output encoding is definitely the safest, but I still need users to submit
certain HTML tags, but not others, and I find
Data::FormValidator::Filters::HTMLScrubber does the trick
More information about the cgiapp
mailing list