Return-Path: 
 <modperl-return-55311-apmail-perl-modperl-archive=perl.apache.org@perl.apache.org>
Delivered-To: apmail-perl-modperl-archive@www.apache.org
Received: (qmail 54177 invoked from network); 26 Jun 2007 15:11:35 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 26 Jun 2007 15:11:35 -0000
Received: (qmail 52696 invoked by uid 500); 26 Jun 2007 15:11:31 -0000
Delivered-To: apmail-perl-modperl-archive@perl.apache.org
Received: (qmail 52677 invoked by uid 500); 26 Jun 2007 15:11:31 -0000
Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:modperl-help@perl.apache.org>
list-unsubscribe: <mailto:modperl-unsubscribe@perl.apache.org>
List-Post: <mailto:modperl@perl.apache.org>
List-Id: <modperl.perl.apache.org>
Delivered-To: mailing list modperl@perl.apache.org
Received: (qmail 52659 invoked by uid 99); 26 Jun 2007 15:11:31 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jun 2007 08:11:31 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (herse.apache.org: domain of clint@traveljury.com
 designates 85.90.230.250 as permitted sender)
Received: from [85.90.230.250] (HELO mail.traveljury.com) (85.90.230.250)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jun 2007 08:11:27 -0700
Received: from localhost (localhost [127.0.0.1])
	by mail.traveljury.com (Postfix) with ESMTP id 435CC21036;
	Tue, 26 Jun 2007 16:11:06 +0100 (BST)
Received: from mail.traveljury.com ([127.0.0.1])
 by localhost (rambaldi.traveljury.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 18031-07; Tue, 26 Jun 2007 16:09:58 +0100 (BST)
Received: from [192.168.5.4] (unknown [89.129.53.38])
	by mail.traveljury.com (Postfix) with ESMTP id 904FC21004;
	Tue, 26 Jun 2007 16:09:57 +0100 (BST)
Subject: Re: Config::Loader and HTML::StripScripts
From: Clinton Gormley <clint@traveljury.com >
To: Jonathan Vanasco <jvanasco@2xlp.com>
Cc: modperl <modperl@perl.apache.org>
In-Reply-To: <7EE17BC0-4E1C-460F-BE42-7A7A942F751C@2xlp.com>
References: <1182867768.4612.46.camel@getafix.traveljury.com>
	 <7EE17BC0-4E1C-460F-BE42-7A7A942F751C@2xlp.com>
Content-Type: text/plain
Date: Tue, 26 Jun 2007 17:09:56 +0200
Message-Id: <1182870596.4612.53.camel@getafix.traveljury.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.8.3 
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at traveljury.com
X-Virus-Checked: Checked by ClamAV on apache.org

On Tue, 2007-06-26 at 11:02 -0400, Jonathan Vanasco wrote:
> On Jun 26, 2007, at 10:22 AM, Clinton Gormley wrote:
> 
> > HTML::StripScripts
> 
> thanks!  I'm already a happy user.
> excited to check out the changelog.
> 
> does the new version automagically do the anti-xss flash embed  
> extensions that myspace had adobe put in?
> 	allowScriptAccess="never"
> 	allownetworking="internal"
> 
> in the old version, i need to do that manually.
> xss didn't launch with that, but I believe its on the site now. 

I don't know what those are :)

<object> tags are removed by default, and you would still need to
subclass HTML::StripScripts in order to allow those elements.

The Rules (for safety's sake) are applied after the standard parsing has
already happened, and object's are not allowed because they are just too
risky. So if you want to do that, subclass the WHITELIST INITIALIZATION
METHODS and add the relevant config in there.

After that, the full power of Rules is available to you

Clint