Is HTML::StripScripts still safe for removing modern exploits?
Question
I need a way in Perl to strip naughty things, such as XSS, image interjection, and the works.
I found HTML::StripScripts but it hasn't updated in close to two years, and I'm not up to date with all the new exploits.
Is it safe?
What other markups languages (in Perl) would you use?
Solution 2
HTML::StripScripts is a whitelist, and can use a tree-based parser and should be as safe as the whitelist.
OTHER TIPS
XSS is a vast topic and exploits come up every other day.
Just removing scripts will not make your code/site safe.
It is better to not try to strip (Blacklisting) certain things. It is safer to white list html/special characters you will allow on your site. i.e <b>, <i>
Defang seems to be the latest/greatest anti XSS lib for perl on cpan
And I suggest playing with CAL9000 to get an idea of how widespread / tricky XSS is