Is HTML::StripScripts still safe for removing modern exploits?

views:

146

answers:

+3 Q:

Is HTML::StripScripts still safe for removing modern exploits?

I need a way in Perl to strip naughty things, such as XSS, image interjection, and the works.

I found HTML::StripScripts but it hasn't updated in close to two years, and I'm not up to date with all the new exploits.

Is it safe?

What other markups languages (in Perl) would you use?

+2 A:

XSS is a vast topic and exploits come up every other day.

Just removing scripts will not make your code/site safe.

It is better to not try to strip (Blacklisting) certain things. It is safer to white list html/special characters you will allow on your site. i.e <b>, <i>

Defang seems to be the latest/greatest anti XSS lib for perl on cpan

Blacklisting vs Whitelisting

OWASP XSS Cheat Sheet

And I suggest playing with CAL9000 to get an idea of how widespread / tricky XSS is

Chad Grant 2009-05-06 07:35:02

HTML::StripScripts is a whitelist.

Timmy 2009-05-06 18:59:49

I am not a perl coder, it's name implies that it just Strips Scripts ;)

Chad Grant 2009-05-06 21:36:29

Fair enough, I'm not 100% up to date (or at least not 100% confident) on XSS stuff, and the main knock on this module for me is that it hasn't been updated since 2007!

Timmy 2009-05-07 14:48:41

HTML::StripScripts is a whitelist, and can use a tree-based parser and should be as safe as the whitelist.

Timmy 2009-11-03 17:02:41

ansaurus

tags:

views:

answers:

Is HTML::StripScripts still safe for removing modern exploits?

related questions