perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clinton Gormley < >
Subject Re: Config::Loader and HTML::StripScripts
Date Tue, 26 Jun 2007 15:09:56 GMT
On Tue, 2007-06-26 at 11:02 -0400, Jonathan Vanasco wrote:
> On Jun 26, 2007, at 10:22 AM, Clinton Gormley wrote:
> > HTML::StripScripts
> thanks!  I'm already a happy user.
> excited to check out the changelog.
> does the new version automagically do the anti-xss flash embed  
> extensions that myspace had adobe put in?
> 	allowScriptAccess="never"
> 	allownetworking="internal"
> in the old version, i need to do that manually.
> xss didn't launch with that, but I believe its on the site now. 

I don't know what those are :)

<object> tags are removed by default, and you would still need to
subclass HTML::StripScripts in order to allow those elements.

The Rules (for safety's sake) are applied after the standard parsing has
already happened, and object's are not allowed because they are just too
risky. So if you want to do that, subclass the WHITELIST INITIALIZATION
METHODS and add the relevant config in there.

After that, the full power of Rules is available to you


View raw message