> HTML::Scrubber is not really broken. The problem is that the > documentation leads the user to do broken things, as was shown with > Planet Plagger. It is possible to make a secure HTML::Scrubber config, > but you need to default deny everything and then only allow a select > list of tags and attributes - and you need to really think about that > list. The underlying problem, which I suspect HTML::Stripscripts shares > is that HTML::Parser thinks that the attribute "foo=bar" is different > than the attribute "foo.=bar" (RSnake covers this kind of evasion in his > document fairly well) and your browser thinks that everthing non > alphanumeric before the equals sign is junk. HTML::StripScripts::Parser has a default deny everything approach, and reconstructs the HTML fed to it, so unless it makes sense as html, it doesn't get passed through and reconstructed. I tried out loads of different forms of XSS attacks from RSnake's site, and they were all neutered by StripScripts, including the 'foo.=' form. > So without actually > sitting down and auditing HTML::Stripscripts I'd say it probably _can_ > be used safely, but odds are most people won't. Again, without actually auditing it but based on my experience of configuring and using it, I would say that with the default settings of HTML::StripScripts::Parser, you'd be pretty safe, but that you could configure it so that it would NOT be safe. Clint
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.