Hi John, I'm CC the list so everyone can join/contribute to this discussion. Le mercredi 14 avril 2010 à 07:23 +0000, John Berthels a écrit :
Hi,
I'm maintaining a largeish perl web app on bare apache2 mod_perl. We're having some pain, having perhaps outgrown our existing home-grown partial-framework and I'm looking at different frameworks with a view to either stealing ideas or possibly migrating the app across.
In particular, does Dancer give any support for html-escaping to prevent cross-site-scripting (XSS)?
Different solutions I've seen so far include:
Currently, Dancer does not provide any XSS-protection, but as you may now, the Dancer::Plugin interface allows you to build your own extensions.
1 - html-escape all params on entry to the app (con: you need lots of un-escaping and so is hard to audit for correctness)
Filtering all incoming params can easily be done with a before filter, like the following: before sub { while(my ($param, $value) = each(%{ params() })) { params->{$param} = some_xss_filter($value); } }; Better, this could be written in a plugin, like Dancer::Plugin::XSS and would then be enabled by just using that module in your webapp.
2 - explicit html-escape in templates (con: you need this on nearly all variable interpolations in every template)
This is not yet possible, but will be as soon as we add support for another kind of filter: "before_template", see http://github.com/sukria/Dancer/issues#issue/60
3 - auto html-escape in templates (con: this breaks some complex template logic)
I suppose this can be done dependening on the tempate engine you're using (as Dancer lets you chose which one you want to use). For instance, I'm sure you can find some Teamplte Toolkit filters for that, and enable them in your Dancer configuration.
If you can give me any pointers to places in the Dancer docs that I've missed that cover this, that would be great. Otherwise, any advice you have would be gratefully received.
Feel free to join the users mailing list if you have any questions. http://lists.perldancer.org/cgi-bin/listinfo/dancer-users Regards, -- Alexis Sukrieh