NAME
Catalyst::Plugin::HTML::Scrubber - Catalyst plugin for scrubbing/sanitizing incoming parameters
SYNOPSIS
use Catalyst qw[HTML::Scrubber];
MyApp->config(
scrubber => {
auto => 1, # automatically run on request
# Exempt certain parameter names from scrubbing
ignore_params => [ qr/_html$/, 'article_body' ],
# Don't scrub at all for certain URL paths:
ignore_paths => [
'/foo',
qr{^/foo/.+},
],
# HTML::Scrubber will HTML-encode some chars, e.g. angle
# brackets. If you don't want that, enable this setting and
# the scrubbed values will be unencoded.
no_decode_entities => 0,
# The following are options to HTML::Scrubber
params => [
default => 0,
comment => 0,
script => 0,
process => 0,
allow => [qw [ br hr b a h1]],
],
},
);
DESCRIPTION
On request, sanitize HTML tags in all params (with the ability to exempt some if needed), to protect against XSS (cross-site scripting) attacks and other unwanted things.
EXTENDED METHODS
- setup
-
See SYNOPSIS for how to configure the plugin, both with its own configuration (e.g. whether to automatically run, whether to exempt certain fields) and passing on any options from HTML::Scrubber to control exactly what scrubbing happens.
- dispatch
-
Sanitize HTML tags in all parameters (unless `ignore_params` exempts them) - this includes normal POST params, and serialised data (e.g. a POSTed JSON body) accessed via `$c->req->body_data` or `$c->req->data`.
SEE ALSO
AUTHOR
Hideo Kimura, << <hide@hide-k.net> >> original author
David Precious (BIGPRESH), <davidp@preshweb.co.uk>
maintainer since 2023-07-17
COPYRIGHT AND LICENSE
Copyright (C) 2005 by Hideo Kimura
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.