Loading ...
Sorry, an error occurred while loading the content.

Re: Cross-site scripting protection

Expand Messages
  • Josh Chamas
    ... Any bit of dynamic data ( i.e. data you can t trust ) rendered on your page should be escaped with HTMLEncode($data) % You can create a quick
    Message 1 of 2 , Jan 30, 2004
    • 0 Attachment
      Ben Soares wrote:
      > Hi,
      >
      > Are there any methods/flags/options available in Apache::ASP to help the
      > developer protect against cross-site scripting?
      >
      > Any other recommendations in this area?
      >

      Any bit of dynamic data ( i.e. data you can't trust ) rendered on your page
      should be escaped with

      <%= $Server->HTMLEncode($data) %>

      You can create a quick alias for that in global.asa like:

      # global.asa
      sub esc($) { $Server->HTMLEncode(shift) }

      and then call

      <%= enc($data) %>

      or you can turn it into an XMLSubs routine like:

      sub my::enc {
      my($args, $html) = @_;
      print $main::Server->HTMLEncode($html);
      }

      and then use it like:

      <my:enc><%= $data %></my:enc>

      I am sure others will have other methods they like to use for this... :-)

      Regards,

      Josh

      ________________________________________________________________
      Josh Chamas, Founder phone:925-552-0128
      Chamas Enterprises Inc. http://www.chamas.com
      NodeWorks Link Checker http://www.nodeworks.com


      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    Your message has been successfully submitted and would be delivered to recipients shortly.