[Catalyst] {OT] protecting against attacks with multilingual input
Jonathan Rockway
jon at jrock.us
Tue Dec 5 21:01:03 GMT 2006
Nilson Santos Figueiredo Junior wrote:
> This way, everything will probably just work, even when the user has a
> "<" on their names or any other weird characters.
No, you can inject plenty of bad code without <. You need to escape &,
<, >, ", and '.
Otherwise, consider
<footag bar="[% baz %]">
with
baz = " onload="alert('hello!').
This gets rendered as:
<footag bar="" onload="alert('hello!'">
Oops.
--
package JAPH;use Catalyst qw/-Debug/;($;=JAPH)->config(name => do {
$,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //,
";$;"]->[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;->setup;
More information about the Catalyst
mailing list