Malicious code, XSS, and HTML Purifier

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

In a thread on alt.html I described a problem I had with a script that =
called from a form that allowed the user to submit information that was=20
inserted into a database from which HTML pages would be generated, and =
the submitted content would be echoed back to the user and mailed to me. =
problem seemed to occur if I had newline CRs in the content of the text=20
input, and I finally determined it was a misplaced comma in my perl =

But as I was testing it, I tried adding some HTML, and it worked well =
font size and color and such, as well as being able to insert an image =
src=3Durl>. But then I thought about what would happen if someone made a
mistake in the HTML tags, or even worse, if a hacker inserted malicious =
such as Javascript. The answer was that there is a potentially serious=20
security issue, or at the very least, a good chance of messing up the=20
database and the resulting HTML pages.

So, I did some research and found this:=20 . It is known as XSS, =
is often a problem with blogs and forums which allow HTML. In that =
article I=20
found this: /, which strips out possibly =
content and fixes broken tags and other HTML errors. However, it seems =
to be=20
designed for PHP, and at this point I want to continue using Perl to =
yet another learning curve.

I think this will be a requirement for my application, and I still need =
learn more about this purifier. Maybe there is a way to submit the raw=20
content and have the purified content returned for use. If anyone has=20
experience with this, I'd appreciate any advice. The link in my sig is =
site I am maintaining, and the link to the form in question is there and =

also on the new website which is there as well. I can supply =
information and code if anyone is interested, but only by direct email.



Site Timeline