perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <s...@stason.org>
Subject Re: Cross-site scripting vulnerability in Apache::Util
Date Thu, 24 Jan 2002 19:25:58 GMT

> however it comes about is fine, I guess.  however, if Apache::Util in 1.3 is left
> un-patched then we're kinda giving a false impression that calling
> Apache::Util::escape_html() is sufficient to thwart CSS attacks when it really only keeps
> all but the most clever away.


I guess we should document this first of all, till it gets fixed. So 
there will be no surprises.


>>So what spec are you working with?
>>
> 
> robin and I were reading
> 
> http://www.cl.cam.ac.uk/~mgk25/unicode.html
> 
> but there may be others.


thanks!


>>Can we just reap the functionality from some Perl core module in
>>bleadperl that does it right?
>>
> 
> well, the problem that robin and I were contemplating is that Apache::Util is supposed
to
> be fast because it uses XS.  if we went to a pure perl implementation we would loose
the
> speed and duplicate something like HTML::Entities (although it would be easier to solve
> the problem).
> 
> that said, perhaps there is C code in utf8.c (or wherever) that we can steal to make
life
> easier.  we probably need to get someone involved who understands the issues better than
I
> do :)

Well I suggested to reap from bleadperl, which is mostly written in C :) 
But having a nicely implemented code in Perl is a good start. It's much 
easier to rewrite in C than starting from scratch.

_____________________________________________________________________
Stas Bekman             JAm_pH      --   Just Another mod_perl Hacker
http://stason.org/      mod_perl Guide   http://perl.apache.org/guide
mailto:stas@stason.org  http://ticketmaster.com http://apacheweek.com
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org


Mime
View raw message