[Dancer-users] Dancer and XSS

Alexis Sukrieh sukria at sukria.net
Wed Apr 14 08:38:33 UTC 2010 

Hi John,

I'm CC the list so everyone can join/contribute to this discussion.

Le mercredi 14 avril 2010 à 07:23 +0000, John Berthels a écrit :
> Hi,
> 
> I'm maintaining a largeish perl web app on bare apache2 mod_perl. We're having some pain, having perhaps outgrown our existing home-grown partial-framework and I'm looking at different frameworks with a view to either stealing ideas or possibly migrating the app across.
> 
> In particular, does Dancer give any support for html-escaping to prevent cross-site-scripting (XSS)?
> 
> Different solutions I've seen so far include:

Currently, Dancer does not provide any XSS-protection, but as you may
now, the Dancer::Plugin interface allows you to build your own
extensions.

> 1 - html-escape all params on entry to the app (con:  you need lots of un-escaping and so is hard to audit for correctness)

Filtering all incoming params can easily be done with a before filter,
like the following:

    before sub {
        while(my ($param, $value) = each(%{ params() })) {
            params->{$param} = some_xss_filter($value);
        }
    };

Better, this could be written in a plugin, like Dancer::Plugin::XSS and
would then be enabled by just using that module in your webapp.


> 2 - explicit html-escape in templates (con: you need this on nearly all variable interpolations in every template)

This is not yet possible, but will be as soon as we add support for
another kind of filter: "before_template", see
http://github.com/sukria/Dancer/issues#issue/60

> 3 - auto html-escape in templates (con: this breaks some complex template logic)

I suppose this can be done dependening on the tempate engine you're
using (as Dancer lets you chose which one you want to use). For
instance, I'm sure you can find some Teamplte Toolkit filters for that,
and enable them in your Dancer configuration.

> If you can give me any pointers to places in the Dancer docs that I've missed that cover this, that would be great. Otherwise, any advice you have would be gratefully received.

Feel free to join the users mailing list if you have any questions.
http://lists.perldancer.org/cgi-bin/listinfo/dancer-users

Regards,

-- 
Alexis Sukrieh

More information about the Dancer-users mailing list