[Catalyst] HTML encoding parameters
bill hauck
wbhauck at yahoo.com
Sun Jun 29 03:13:46 GMT 2014
Hi.
Please forgive me if this is an easy one. It's late and I haven't found any mention of it.
I'd like to encode form fields so that only the standard bold, italic, underline, list, etc. are allowed and and script, style, etc. tags are encoded. Also, I'd like to only let the base tags through and no attributes so setting an onmouseover in a paragraph is encoded. Basically I'm trying to avoid XSS and other nastiness.
Is there a module that does this to all parameters at once? Do i simply need to do it to each paramter I accept? For now I've been adding the html filter in my Template Toolkit templates, but that's a pain and relies on each output field filtering. I'd like to encode before storing the data in the database so it's safe no matter how it's presented.
Any help is appreciated.
Thanks,
bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.scsys.co.uk/pipermail/catalyst/attachments/20140628/57eb4b53/attachment.htm>
More information about the Catalyst
mailing list