<p dir="ltr">I've had really good results with HTML::StripScripts::Parser, you can set allowed tags, attributes and stop JavaScript injection. You can also set allowed attributes on certain tags only, it's really flexible</p>
<div class="gmail_quote">On 29 Jun 2014 05:14, "bill hauck" <<a href="mailto:wbhauck@yahoo.com">wbhauck@yahoo.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div style="color:#000;background-color:#fff;font-family:Courier New,courier,monaco,monospace,sans-serif;font-size:12pt"><div><span>Hi.</span></div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent">
<span><br></span></div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent"><span>Please forgive me if this is an easy one. It's late and I haven't found any mention of it.</span></div>
<div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent"><span><br></span></div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent">
<span>I'd like to encode form fields so that only the standard bold, italic, underline, list, etc. are allowed and and script, style, etc. tags are encoded. Also, I'd like to only let the base tags through and no attributes so setting an onmouseover in a paragraph is encoded. Basically I'm trying to avoid XSS and other nastiness.</span></div>
<div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent"><span><br></span></div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent">
<span>Is there a module that does this to all parameters at once? Do i simply need to do it to each
paramter I accept? For now I've been adding the html filter in my Template Toolkit templates, but that's a pain and relies on each output field filtering. I'd like to encode before storing the data in the database so it's safe no matter how it's presented.</span></div>
<div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent"><span><br></span></div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent">
Any help is appreciated.</div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent"><br></div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent">
Thanks,</div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent"><br></div><div style="color:rgb(0,0,0);font-size:16.363636016845703px;font-family:'Courier New',courier,monaco,monospace,sans-serif;font-style:normal;background-color:transparent">
bill</div><div></div><div> </div><div></div><div><br><br><br><br></div><div><br><br></div></div></div><br>_______________________________________________<br>
List: <a href="mailto:Catalyst@lists.scsys.co.uk">Catalyst@lists.scsys.co.uk</a><br>
Listinfo: <a href="http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst">http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst</a><br>
Searchable archive: <a href="http://www.mail-archive.com/catalyst@lists.scsys.co.uk/">http://www.mail-archive.com/catalyst@lists.scsys.co.uk/</a><br>
Dev site: <a href="http://dev.catalyst.perl.org/">http://dev.catalyst.perl.org/</a><br>
<br></blockquote></div>