perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre Etchemaite <petch...@concept-micro.com>
Subject Does escmode param work in 1.3.3 HTML::Embperl::Execute ?
Date Tue, 11 Jan 2005 20:30:52 GMT

	Hi all,

I'm running a forum that runs on Embperl 1.3.3, and I just found a security
problem in it, it doesn't filter correctly HTML tags.

Since I'm enriching users' texts (to use italics for lines starting with a
'>', and to "vivify" urls), I'm not simply using Embperl automatic escaping.
Instead, I'm using HTML::Embperl::Execute :

(page)
...
  [+ local $escmode=0; UserText($message) +]
...

(module)
...
sub UserText($) {
    my($t) = @_;
    my($r);
    HTML::Embperl::Execute({'escmode' => 1, 
                            'input' => \$t, 
                            'inputfile' => 'usersuppliedtext',         
                            'output' => \$r});
    $r =~ s/\x0d\x0a/<BR>\n/g;
    $r =~ s@^(>.*)$@<I>$1</I>@gm;
    $r =~ s@((?:ftp|http|news)://[^ <]*[^ .,:;!?<>()])@<A HREF="$1">$1</A>@gi;
    return $r;
}
...

But beside the 'escmode' => 1 parameter, HTML::Embperl::Execute doesn't seem
to HTML-escape <, >, etc.


Thanks in advance,
Pierre.

---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org


Mime
View raw message