NAME

Catalyst::Plugin::HTML::Scrubber - Catalyst plugin for scrubbing/sanitizing incoming parameters

SYNOPSIS

 use Catalyst qw[HTML::Scrubber];

 MyApp->config( 
     scrubber => {
         auto => 1,  # automatically run on request

         # Exempt certain parameter names from scrubbing
         ignore_params => [ qr/_html$/, 'article_body' ],

         # Don't scrub at all for certain URL paths:
         ignore_paths => [
             '/foo',
             qr{^/foo/.+},
         ],

         # HTML::Scrubber will HTML-encode some chars, e.g. angle
         # brackets.  If you don't want that, enable this setting and
         # the scrubbed values will be unencoded.
         no_decode_entities => 0,
         
         # The following are options to HTML::Scrubber
         params => [
             default => 0,
             comment => 0,
             script => 0,
             process => 0,
             allow => [qw [ br hr b a h1]],
         ],
     },
);

DESCRIPTION

On request, sanitize HTML tags in all params (with the ability to exempt some if needed), to protect against XSS (cross-site scripting) attacks and other unwanted things.

EXTENDED METHODS

setup

See SYNOPSIS for how to configure the plugin, both with its own configuration (e.g. whether to automatically run, whether to exempt certain fields) and passing on any options from HTML::Scrubber to control exactly what scrubbing happens.

dispatch

Sanitize HTML tags in all parameters (unless `ignore_params` exempts them) - this includes normal POST params, and serialised data (e.g. a POSTed JSON body) accessed via `$c->req->body_data` or `$c->req->data`.

SEE ALSO

Catalyst, HTML::Scrubber.

AUTHOR

Hideo Kimura, << <hide@hide-k.net> >> original author

David Precious (BIGPRESH), <davidp@preshweb.co.uk> maintainer since 2023-07-17

COPYRIGHT AND LICENSE

Copyright (C) 2005 by Hideo Kimura

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.