NAME

Apache::TaintRequest - HTML Escape tainted data to prevent CSS Attacks

SYNOPSIS

use Apache::TaintRequest ();

sub handler {
  my $r = shift;
  $r = Apache::TaintRequest->new($r);

  my $querystring = $r->query_string();
  $r->print($querystring);   # html is escaped...

  $querystring =~ s/<script>//;
  $r->print($querystring);   # html is NOT escaped...
}

DESCRIPTION

Note:

This code is derived from the Cookbook::TaintRequest module, available as part of "The mod_perl Developer's Cookbook".

One of the harder problems facing web developers involves dealing with potential cross site scripting attacks. Frequently this involves many calls to Apache::Util::escape_html().

This module aims to automate this tedious process. It overrides the print mechanism in the mod_perl Apache module. The new print method tests each chunk of text for taintedness. If it is tainted we assume the worst and html-escape it before printing.

Note that this module requires that you have the line

PerlTaintCheck on

in your httpd.conf. This may have other unintended side effects, so be warned.

SEE ALSO

perl(1), mod_perl(1), Apache(3), Taint

AUTHORS

Paul Lindner <paul@modperlcookbook.org>

Geoffrey Young <geoff@modperlcookbook.org>

Randy Kobes <randy@modperlcookbook.org>

COPYRIGHT

Copyright (c) 2001, Paul Lindner, Geoffrey Young, Randy Kobes.

All rights reserved.

This module is free software. It may be used, redistributed and/or modified under the same terms as Perl itself.

HISTORY

This code is derived from the Cookbook::TaintRequest module, available as part of "The mod_perl Developer's Cookbook".

For more information, visit http://www.modperlcookbook.org/