[Catalyst] HTML encoding parameters
Mark Ellis
m at rkellis.com
Sun Jun 29 14:12:35 GMT 2014
I've had really good results with HTML::StripScripts::Parser, you can set
allowed tags, attributes and stop JavaScript injection. You can also set
allowed attributes on certain tags only, it's really flexible
On 29 Jun 2014 05:14, "bill hauck" <wbhauck at yahoo.com> wrote:
> Hi.
>
> Please forgive me if this is an easy one. It's late and I haven't found
> any mention of it.
>
> I'd like to encode form fields so that only the standard bold, italic,
> underline, list, etc. are allowed and and script, style, etc. tags are
> encoded. Also, I'd like to only let the base tags through and no
> attributes so setting an onmouseover in a paragraph is encoded. Basically
> I'm trying to avoid XSS and other nastiness.
>
> Is there a module that does this to all parameters at once? Do i simply
> need to do it to each paramter I accept? For now I've been adding the html
> filter in my Template Toolkit templates, but that's a pain and relies on
> each output field filtering. I'd like to encode before storing the data in
> the database so it's safe no matter how it's presented.
>
> Any help is appreciated.
>
> Thanks,
>
> bill
>
>
>
>
>
>
>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
> http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.scsys.co.uk/pipermail/catalyst/attachments/20140629/783cc950/attachment.htm>
More information about the Catalyst
mailing list