July 2011 Archives

Fixing XSS in Catalyst with a really big hammer

A few friends of mine are currently working on a community website of sorts, which means they'll have tons of user-provided content and interaction. This also means there are possible XSS problems all over the place.

So they stated dutifully adding `| html` all over the place. But that's stupid. It's playing whackamole because this sort of issue will keep cropping up again and again, often only to be noticed after it's abused.

However now it's really easy to fix this by having the html filter applied to all tokens in a template…

About Mithaldu

user-pic Not writing much, but often found pawing at CPAN with other #perl-cats