perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <>
Subject Re: Cross-site scripting vulnerability in Apache::Util
Date Thu, 24 Jan 2002 19:25:58 GMT

> however it comes about is fine, I guess.  however, if Apache::Util in 1.3 is left
> un-patched then we're kinda giving a false impression that calling
> Apache::Util::escape_html() is sufficient to thwart CSS attacks when it really only keeps
> all but the most clever away.

I guess we should document this first of all, till it gets fixed. So 
there will be no surprises.

>>So what spec are you working with?
> robin and I were reading
> but there may be others.


>>Can we just reap the functionality from some Perl core module in
>>bleadperl that does it right?
> well, the problem that robin and I were contemplating is that Apache::Util is supposed
> be fast because it uses XS.  if we went to a pure perl implementation we would loose
> speed and duplicate something like HTML::Entities (although it would be easier to solve
> the problem).
> that said, perhaps there is C code in utf8.c (or wherever) that we can steal to make
> easier.  we probably need to get someone involved who understands the issues better than
> do :)

Well I suggested to reap from bleadperl, which is mostly written in C :) 
But having a nicely implemented code in Perl is a good start. It's much 
easier to rewrite in C than starting from scratch.

Stas Bekman             JAm_pH      --   Just Another mod_perl Hacker      mod_perl Guide

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message