Preventing Cross-site Scripting Attacks
In Your Web Applications
by Paul Lindner
February 20, 2002
The cross-site scripting attack is one of the most common, yet overlooked, security
problems facing web developers today. A web site is vulnerable if it displays user-
submitted content without checking for malicious script tags.
Luckily, Perl and mod_perl provide us with easy solutions to this problem. We highlight
these built-in solutions and also a introduce a new mod_perl module:
Apache::TaintRequest. This module helps you secure mod_perl applications by applying
perl's powerful tainting rules to HTML output.
What is Cross-Site Scripting?
Lately the news has been full of reports on web site security lapses. Some recent
headlines include the following grim items: Security problems open Microsoft's Wallet,
Schwab financial site vulnerable to attack, or New hack poses threat to popular Web
services. In all these cases the root problem was caused by a Cross-Site Scripti