Is there a good library in CPAN for filtering out cross-site scripting (XSS)?
Question
Is there a good library in CPAN for filtering out an textfield for all the bad things, like xss?
Solution
Your first step should always be to search and browse through the results. It looks like there are lots of potential hits. When I'm looking for something new, I browse through search results and check the docs of modules to see how clear they are and how well built the API is. I also look for reviews (some have, some don't - it's often random) and check bugs. It gives me a sense of what I'm dealing with.
If your question is "Which of these various options is best?", then I'm afraid I don't know in this case. (My initial answer may have been too general.)
Two good places to start a search of CPAN:
OTHER TIPS
At the base level you want HTML::Entities, but which escape you chose depends on where in the DOM you're using the values. It won't help at all to html entity encode a user input if you stick it inside a <script>
tag, for example.
It's pretty likely that you're using some kind of template to generate the html, so it should have a method to escape the content, HTML::Mason
has <% $thing |h %>
, Template::Toolkit
has [% thing | html %]
... but if you're just doing it in your own code you'll need to call encode_entities
yourself.