Skip to content

Instantly share code, notes, and snippets.

@zostay
Created Aug 15, 2012
Embed
What would you like to do?
OWASP Top Ten - A2 Cross Site Scripting (XSS) - Good/Bad - In Perl
use v5.16;
use Plack::Request;
my $app = sub {
# Use Plack::Request to help parse the environment
my $req = Plack::Request->new(shift);
# Load our input
my $input = $req->parameters->{input};
# BAD BAD BAD Display that input in the HTML page, but without
# validation or encoding out the possibly SCRIPT or other malicious tags
return [
200, [ 'Content-type' => 'text/html' ],
[
qq[<html><head><title>Hello</title></head>],
qq[<body><p>$input</p></body></html>],
]
];
};
use v5.16;
use HTML::Entities;
use Plack::Request;
my $app = sub {
# Use Plack::Request to help parse the environment
my $req = Plack::Request->new(shift);
# Load our input
my $input = $req->parameters->{input};
# Validate the input to make sure there aren't any <script> tags in it
return [ 400, [ 'Content-type' => 'text/html' ],
[ 'You are naughty.' ] ]
unless $input =~ /^\w+$/;
# Prior to outputting, make sure we encode it for HTML
my $output = encode_entities($input);
# Display that input in the HTML page
return [
200, [ 'Content-type' => 'text/html' ],
[ qq[<html><head><title>Hello</title></head>],
qq[<body><p>$output</p></body></html>] ]
];
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment