Cross Site Scripting prevention

Does anyone out there know of a perl module which will remove all javascript references from a string?

So that the users can use FCK to write html, but they cannot write javascript.

Tue, 08/09/2005 - 15:57

stephenrs

Joined: 04/06/2005

Posts: 40

RE: Cross Site Scripting prevention

couldn't this be done with a single regular expression which would strip out everything between <script...>and</script>?

Tue, 08/09/2005 - 17:55

telebrett

Joined: 28/02/2006

Posts: 36

RE: Cross Site Scripting prevention

ahh, but it also needs to include events as well, eg "onmouseover","onhover" and links to "javascript:"

Tue, 08/09/2005 - 21:54

stephenrs

Joined: 04/06/2005

Posts: 40

RE: Cross Site Scripting prevention

good point. this still shouldn't be too difficult to cook up using regular expressions. i'm not much of a perl programmer (and i'm not aware of any modules for this particular problem), but this could be done quite easily in php, and perl's regular expression handling is the grand daddy of them all. good luck with it. sorry i couldn't be more help.

Tue, 08/09/2005 - 22:55

telebrett

Joined: 28/02/2006

Posts: 36

RE: Cross Site Scripting prevention

Tue, 08/09/2005 - 23:14

telebrett

Joined: 28/02/2006

Posts: 36

RE: Cross Site Scripting prevention

That last one should actually be

$string =~ s/<(.*?)javascript\:(.*?)/<$1>/sig;