NAME

Apache2::TaintRequest - HTML Escape tainted data to prevent CSS Attacks

SYNOPSIS

 use Apache2::TaintRequest ();

sub handler { my $r = shift; $r = Apache2::TaintRequest->new($r);

    my $querystring = $r->query_string();
    $r->print($querystring);    # html is escaped...

    $querystring =~ s/<script>//;
    $r->print($querystring);    # html is NOT escaped...
}

DESCRIPTION

Note:

This code is derived from the Apache::TaintRequest module, available as part of "The mod_perl Developer's Cookbook".

One of the harder problems facing web developers involves dealing with potential cross site scripting attacks. Frequently this involves many calls to HTML::Entities::escape_html().

This module aims to automate this tedious process. It overrides the print mechanism in the mod_perl Apache module. The new print method tests each chunk of text for taintedness. If it is tainted we assume the worst and html-escape it before printing.

Note that this module requires that you have the line

  PerlSwitches -T

in your httpd.conf. This may have other unintended side effects, so be warned.

SEE ALSO

perl(1), mod_perl(1), Apache(3), Taint, Apache::TaintRequest

http://perl.apache.org/docs/2.0/user/porting/compat.html#C_PerlTaintCheck_

AUTHORS

Fred Moyer <fred@redhotpenguin.com>

COPYRIGHT

Apache2::TaintRequest Copryright (c) 2012, Fred Moyer

Apache::TaintRequest Copyright (c) 2001, Paul Lindner, Geoffrey Young, Randy Kobes.

All rights reserved.

This module is free software. It may be used, redistributed and/or modified under the same terms as Perl itself.

HISTORY

This code is derived from the Apache::TaintRequest module, available on the CPAN.