Is HTML::StripScripts still safe for removing modern exploits?

StackOverflow https://stackoverflow.com/questions/828400

  •  06-07-2019
  •  | 
  •  

Question

I need a way in Perl to strip naughty things, such as XSS, image interjection, and the works.

I found HTML::StripScripts but it hasn't updated in close to two years, and I'm not up to date with all the new exploits.

Is it safe?

What other markups languages (in Perl) would you use?

Was it helpful?

Solution 2

HTML::StripScripts is a whitelist, and can use a tree-based parser and should be as safe as the whitelist.

OTHER TIPS

XSS is a vast topic and exploits come up every other day.

Just removing scripts will not make your code/site safe.

It is better to not try to strip (Blacklisting) certain things. It is safer to white list html/special characters you will allow on your site. i.e <b>, <i>

Defang seems to be the latest/greatest anti XSS lib for perl on cpan

Blacklisting vs Whitelisting

OWASP XSS Cheat Sheet

And I suggest playing with CAL9000 to get an idea of how widespread / tricky XSS is

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top