Hi Richard, replying to the list. Please reply to the list next time - see the last line of my signature. On Mon, 28 Sep 2015 08:32:08 -0500 Richard Reina <gatorreina@gmail.com> wrote:
2015-09-28 3:28 GMT-05:00 Shlomi Fish <shlomif@shlomifish.org>:
Hi Richard,
some comments on your code:
On Sun, 27 Sep 2015 17:59:42 -0500 Richard Reina <gatorreina@gmail.com> wrote:
2015-09-27 11:24 GMT-05:00 Dave Cross <dave@dave.org.uk>:
On 27/09/15 16:34, Richard Reina wrote:
I think I am going to try to figure out how to use an array reference
instead. Traveling so can't try it until I get back tomorrow.
You can, of course, try whatever approach you want. But my second
solution
will work.
Dave...
--
Hi Dave,
This did in fact work. Here is how I ended up incorporating your solution.
<div class="well" style="max-height: 300px;overflow: auto;"> <ul class="list-group fancy-list-items"> <!-- <ul class="list-group checked-list-box"> --> <table style="width:100%"> <% FOREACH Pat IN Pats.values.sort('SNAME') -%> <tr class="list-group-item"> <td width="25"><% Pat.ID %> <td width="70"><% Pat.SNAME %> <td width="75"><% Pat.ANAME %> <td width="35"><% Pat.SSN %> <td width="35"><% Pat.YR %> <td width="250"><% Pat.CHNAME %> <td width="550"><% Pat.DESCRIP %>
1. You're missing the closing tag - "</td>".
Thanks for pointing out. Can't believe I missed that.
You're welcome. Are you validating your output? Do you have automated tests to do it for you?
2. Are you sure you're avoiding https://en.wikipedia.org/wiki/Cross-site_scripting ? Also see http://perl-begin.org/tutorials/bad-elements/#code_and_markup_injection .
I am not sure. Despite reading the recommended links I don't know enough to be sure. Why do you ask?
Because cross-site scripting (XSS) can be a serious security vulnerability. Let's suppose you put a field called "myfield" that was input from the user directly into the HTML: <td><% myfield %></td> Then a malicious user can put something like this in "myfield": <script type="text/javascript">alert('XSS!')</script> And this is just the beginning of malicious JS that can be inserted. For a cautionary measure, see: https://metacpan.org/release/Template-Stash-AutoEscaping Regards, Shlomi Fish -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ Optimising Code for Speed - http://shlom.in/optimise A: I’m hungry today. B: Well, wait until tomorrow. Maybe this feeling will pass. Please reply to list if it's a mailing list post - http://shlom.in/reply .
2015-09-28 16:54 GMT+03:00 Shlomi Fish <shlomif@shlomifish.org>:
Because cross-site scripting (XSS) can be a serious security vulnerability. Let's suppose you put a field called "myfield" that was input from the user directly into the HTML:
<td><% myfield %></td>
Then a malicious user can put something like this in "myfield":
<script type="text/javascript">alert('XSS!')</script>
And this is just the beginning of malicious JS that can be inserted.
For a cautionary measure, see:
Some template-engines treat your variables as potentially dangerous unless you don't tell otherwise. For example Text::Xslate https://metacpan.org/pod/Text::Xslate#Smart-escaping-for-HTML-metacharacters Wbr, -- Kõike hääd, G
2015-09-28 8:54 GMT-05:00 Shlomi Fish <shlomif@shlomifish.org>:
Hi Richard,
replying to the list. Please reply to the list next time - see the last line of my signature.
Sorry, meant to reply to the list.
<div class="well" style="max-height: 300px;overflow: auto;"> <ul class="list-group fancy-list-items"> <!-- <ul class="list-group checked-list-box"> --> <table style="width:100%"> <% FOREACH Pat IN Pats.values.sort('SNAME') -%> <tr class="list-group-item"> <td width="25"><% Pat.ID %> <td width="70"><% Pat.SNAME %> <td width="75"><% Pat.ANAME %> <td width="35"><% Pat.SSN %> <td width="35"><% Pat.YR %> <td width="250"><% Pat.CHNAME %> <td width="550"><% Pat.DESCRIP %>
1. You're missing the closing tag - "</td>".
Thanks for pointing out. Can't believe I missed that.
You're welcome. Are you validating your output? Do you have automated tests to do it for you?
Validation is a work in progress for me. Trying to find an elegant way to take it out of my Dancer app but that's another story. In this particular case -- the case above -- all of the data is coming from a table via $sth->fetchall_hashref('ID'). I there a still such a vulnerability if it's not user input?
On Mon, 28 Sep 2015 10:04:51 -0500 Richard Reina <gatorreina@gmail.com> wrote:
2015-09-28 8:54 GMT-05:00 Shlomi Fish <shlomif@shlomifish.org>:
Hi Richard,
replying to the list. Please reply to the list next time - see the last line of my signature.
Sorry, meant to reply to the list.
I see - OK.
<div class="well" style="max-height: 300px;overflow: auto;"> <ul class="list-group fancy-list-items"> <!-- <ul class="list-group checked-list-box"> --> <table style="width:100%"> <% FOREACH Pat IN Pats.values.sort('SNAME') -%> <tr class="list-group-item"> <td width="25"><% Pat.ID %> <td width="70"><% Pat.SNAME %> <td width="75"><% Pat.ANAME %> <td width="35"><% Pat.SSN %> <td width="35"><% Pat.YR %> <td width="250"><% Pat.CHNAME %> <td width="550"><% Pat.DESCRIP %>
1. You're missing the closing tag - "</td>".
Thanks for pointing out. Can't believe I missed that.
You're welcome. Are you validating your output? Do you have automated tests to do it for you?
Validation is a work in progress for me. Trying to find an elegant way to take it out of my Dancer app but that's another story. In this particular case -- the case above -- all of the data is coming from a table via $sth->fetchall_hashref('ID'). I there a still such a vulnerability if it's not user input?
Well , if end users can insert data into the table somehow, then it's still vulnerable. Furthermore, if the fields in the table contain special HTML characters like < , > , & , etc. then it may confuse the browser's HTML parser, and cause the HTML to not validate. So it's a good idea to escape the fields anyway when passing them to the output. Regards, -- Shlomi Fish -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ NSA Factoids - http://www.shlomifish.org/humour/bits/facts/NSA/ One of my most productive days was throwing away 1,000 lines of code. — Ken Thompson (Attributed) Please reply to list if it's a mailing list post - http://shlom.in/reply .
participants (3)
-
Richard Reina -
Shlomi Fish -
WK