[MKDoc-commit] [MKDoc::Text::Structured] stop some implausible XSS attacks

bruno at mkdoc.demon.co.uk bruno at mkdoc.demon.co.uk
Thu Jan 5 16:48:28 GMT 2006 

Log Message:
-----------
[MKDoc::Text::Structured] stop some implausible XSS attacks

Modified Files:
--------------
    MKDoc-Text-Structured:
        Changes
    MKDoc-Text-Structured/lib/MKDoc/Text/Structured:
        Inline.pm
        PRE.pm
    MKDoc-Text-Structured/t:
        014_niceties.t
        021_smilies.t

-------------- next part --------------
Index: Changes
===================================================================
RCS file: /var/spool/cvs/MKDoc-Text-Structured/Changes,v
retrieving revision 1.30
retrieving revision 1.31
diff -LChanges -LChanges -u -r1.30 -r1.31
--- Changes
+++ Changes
@@ -2,6 +2,7 @@
 
 0.84
     - Fix bug where "========---~>" made previous line into <h2>
+    - substitute ( ) # " http://www.cgisecurity.com/articles/xss-faq.shtml
 
 0.83 Fri Aug 19 17:15:00 2005
     - fix for <pre> indenting bug when first line is more indented than second
Index: PRE.pm
===================================================================
RCS file: /var/spool/cvs/MKDoc-Text-Structured/lib/MKDoc/Text/Structured/PRE.pm,v
retrieving revision 1.4
retrieving revision 1.5
diff -Llib/MKDoc/Text/Structured/PRE.pm -Llib/MKDoc/Text/Structured/PRE.pm -u -r1.4 -r1.5
--- lib/MKDoc/Text/Structured/PRE.pm
+++ lib/MKDoc/Text/Structured/PRE.pm
@@ -46,6 +46,10 @@
     $text      =~ s/&/&amp;/g;
     $text      =~ s/</&lt;/g;
     $text      =~ s/>/&gt;/g;
+    $text      =~ s/"/&quot;/g;
+    $text      =~ s/#/&#35;/g;
+    $text      =~ s/\(/&#40;/g;
+    $text      =~ s/\)/&#41;/g;
 
     return "<pre>$text</pre>";
 }
Index: Inline.pm
===================================================================
RCS file: /var/spool/cvs/MKDoc-Text-Structured/lib/MKDoc/Text/Structured/Inline.pm,v
retrieving revision 1.17
retrieving revision 1.18
diff -Llib/MKDoc/Text/Structured/Inline.pm -Llib/MKDoc/Text/Structured/Inline.pm -u -r1.17 -r1.18
--- lib/MKDoc/Text/Structured/Inline.pm
+++ lib/MKDoc/Text/Structured/Inline.pm
@@ -84,6 +84,9 @@
 
     $Text =~ s/^ //;
     $Text =~ s/ $//;
+    $Text =~ s/#/&#35;/g;
+    $Text =~ s/\(/&#40;/g;
+    $Text =~ s/\)/&#41;/g;
     return $Text;
 }
 
@@ -118,6 +121,9 @@
     
     $Text =~ s/^ //;
     $Text =~ s/ $//;
+    $Text =~ s/#/&#35;/g;
+    $Text =~ s/\(/&#40;/g;
+    $Text =~ s/\)/&#41;/g;
     return $Text;
 }
 
Index: 021_smilies.t
===================================================================
RCS file: /var/spool/cvs/MKDoc-Text-Structured/t/021_smilies.t,v
retrieving revision 1.2
retrieving revision 1.3
diff -Lt/021_smilies.t -Lt/021_smilies.t -u -r1.2 -r1.3
--- t/021_smilies.t
+++ t/021_smilies.t
@@ -7,21 +7,21 @@
 my $text = undef;
 
 $text = MKDoc::Text::Structured::process ('This :-)is a;-) test :-(');
-is ($text, '<p>This <span class="smiley-happy">:-)</span>is a;-) test <span class="smiley-sad">:-(</span></p>');
+is ($text, '<p>This <span class="smiley-happy">:-&#41;</span>is a;-&#41; test <span class="smiley-sad">:-&#40;</span></p>');
 
 $text = MKDoc::Text::Structured::process ('test &-) test');
-is ($text, '<p>test &amp;-) test</p>');
+is ($text, '<p>test &amp;-&#41; test</p>');
 
 $text = MKDoc::Text::Structured::process ('BBC (Brit Broad Corp :-) test');
-is ($text, '<p><abbr title="Brit Broad Corp :-">BBC</abbr> (Brit Broad Corp <span class="smiley-happy">:-)</span> test</p>');
+is ($text, '<p><abbr title="Brit Broad Corp :-">BBC</abbr> &#40;Brit Broad Corp <span class="smiley-happy">:-&#41;</span> test</p>');
 
 $text = MKDoc::Text::Structured::process ('BBC(Brit Broad Corp :-) test');
 is ($text, '<p><abbr title="Brit Broad Corp :-">BBC</abbr> test</p>');
 
 $text = MKDoc::Text::Structured::process ('BBC(Brit Broad Corp :-( ) test');
-is ($text, '<p><abbr title="Brit Broad Corp :-(">BBC</abbr> test</p>');
+is ($text, '<p><abbr title="Brit Broad Corp :-&#40;">BBC</abbr> test</p>');
 
 $text = MKDoc::Text::Structured::process ('This is a test: mailto:-)@mkdoc.com');
-is ($text, '<p>This is a test: <a href="mailto:-)@mkdoc.com">-)@mkdoc.com</a></p>');
+is ($text, '<p>This is a test: <a href="mailto:-&#41;@mkdoc.com">-&#41;@mkdoc.com</a></p>');
 
 __END__
Index: 014_niceties.t
===================================================================
RCS file: /var/spool/cvs/MKDoc-Text-Structured/t/014_niceties.t,v
retrieving revision 1.6
retrieving revision 1.7
diff -Lt/014_niceties.t -Lt/014_niceties.t -u -r1.6 -r1.7
--- t/014_niceties.t
+++ t/014_niceties.t
@@ -42,7 +42,7 @@
 is ($text, '<p>I wonder if this works&hellip;</p>');
 
 $text = MKDoc::Text::Structured::process ("... (...) ... .... ..");
-is ($text, '<p>&hellip; (&hellip;) &hellip; .... ..</p>');
+is ($text, '<p>&hellip; &#40;&hellip;&#41; &hellip; .... ..</p>');
 
 $text = MKDoc::Text::Structured::process ("ACLU(American Civil Liberties Union)");
 is ($text, '<p><abbr title="American Civil Liberties Union">ACLU</abbr></p>');
@@ -57,7 +57,7 @@
 is ($text, '<p><abbr title="Fat Australian &amp;&lt;&gt;Red Tigers">FART</abbr></p>');
 
 $text = MKDoc::Text::Structured::process ("ACLU (American Civil Liberties Union)");
-is ($text, '<p><abbr title="American Civil Liberties Union">ACLU</abbr> (American Civil Liberties Union)</p>');
+is ($text, '<p><abbr title="American Civil Liberties Union">ACLU</abbr> &#40;American Civil Liberties Union&#41;</p>');
 
 $text = MKDoc::Text::Structured::process ("(tm), (r), (c)! Roxor 10x2");
 is ($text, '<p>&trade;, &reg;, &copy;! Roxor 10&times;2</p>');

More information about the MKDoc-commit mailing list