NAME
Template::Directive::XSSAudit - TT2 output filtering lint testing
SYNOPSIS
use Template;
use Template::Directive::XSSAudit;
my $tt = Template->new({
FACTORY => "Template::Directive::XSSAudit"
});
my $input = <<'END';
Hello [% exploitable.goodness %] World!
How would you like to [% play.it.safe | html %] today?
END
my $out = '';
$tt->process(\$input, {}, \$out) || die $tt->error();
-- STDERR
NO_FILTERS -- exploitable.goodness at /usr/lib/perl5/Template/Parser.pm line 831
DESCRIPTION
This module will help you perform basic lint tests of your template toolkit files.
A callback may be provided so that the errors may be handled in a way that makes sense for the project at hand. See on_error
for more details.
Additionally, a list of filter names may be provided, instructing the module to require that certain filters be used for output escaping in the tests.
Have a look at the t/*.t files that come with the distribution as they leverage the on_error()
callback routine.
EXPORTS
None.
METHODS
- Template::Directive::XSSAudit->on_error ( [ coderef ] )
-
A default implementation is provided which will simply
carp
any problems which are found.If you call this method without a subroutine reference, it will simply return you the current implementation.
The callback will be executed in one of two cases:
- The variable in question has NO output filtering - The variable is filtered but none of the filters were found in the C<good_filter> list.
If you provide your own callback, it will be passed four parameters.
- variable name
-
This is a string represending the variable name which was found to be incorrectly escaped.
- filters applied to the variable (array ref of strings)
-
In the case of variables with no filters, this will be an empty array reference. If there are entries in this list, it means that no filter in the good filter list was found to apply to the variable. See
good_filter
for more information. - list of all good filters (array ref of strings)
-
This is the exact same information that you can get from the
good_filters
method call. - line number information (not always present)
-
This is the line number and filename where the problem occurred.
This is parsed out as best as can be done but it may come back as an empty string in many cases. It is a convenience item and should not be relied on for any sort of automation.
- Template::Directive::XSSAudit->good_filters ( [ arrayref ] )
-
This method will return the current list of "good" filters to you as an array reference. eg.
[ 'html', 'uri' ]
If you pass an array reference of strings, it will also set the list of good filters. The defaults are simply 'html' and 'uri' but I will be adding more int the future.
SEE ALSO
Template http://github.com/captin411/template-directive-xssaudit/ http://www.owasp.org/index.php/Category:OWASP_Encoding_Project/ http://ha.ckers.org/xss.html
BUGS
Please report bugs using the CPAN Request Tracker at http://rt.cpan.org/
AUTHOR
David Bartle <dbartle@mediatemple.net>
This work was sponsored by my employer, (mt) Media Temple, Inc.
COPYRIGHT
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
The full text of the license can be found in the LICENSE file included with this module.