Thursday, May 5, 2011

Is HTML::StripScripts still safe for removing modern exploits?

I need a way in Perl to strip naughty things, such as XSS, image interjection, and the works.

I found HTML::StripScripts but it hasn't updated in close to two years, and I'm not up to date with all the new exploits.

Is it safe?

What other markups languages (in Perl) would you use?

From stackoverflow
  • XSS is a vast topic and exploits come up every other day.

    Just removing scripts will not make your code/site safe.

    It is better to not try to strip (Blacklisting) certain things. It is safer to white list html/special characters you will allow on your site. i.e <b>, <i>

    Defang seems to be the latest/greatest anti XSS lib for perl on cpan

    Blacklisting vs Whitelisting

    OWASP XSS Cheat Sheet

    And I suggest playing with CAL9000 to get an idea of how widespread / tricky XSS is

    Timmy : HTML::StripScripts is a whitelist.
    Chad Grant : I am not a perl coder, it's name implies that it just Strips Scripts ;)
    Timmy : Fair enough, I'm not 100% up to date (or at least not 100% confident) on XSS stuff, and the main knock on this module for me is that it hasn't been updated since 2007!
  • HTML::StripScripts is a whitelist, and can use a tree-based parser and should be as safe as the whitelist.


Post a Comment