NAME
Catalyst::Plugin::HTML::Scrubber - Catalyst plugin for
scrubbing/sanitizing incoming parameters
SYNOPSIS
use Catalyst qw[HTML::Scrubber];
MyApp->config(
scrubber => {
auto => 1, # automatically run on request
# Exempt certain parameter names from scrubbing
ignore_params => [ qr/_html$/, 'article_body' ],
# Don't scrub at all for certain URL paths:
ignore_paths => [
'/foo',
qr{^/foo/.+},
],
# HTML::Scrubber will HTML-encode some chars, e.g. angle
# brackets. If you don't want that, enable this setting and
# the scrubbed values will be unencoded.
no_decode_entities => 0,
# The following are options to HTML::Scrubber
params => [
default => 0,
comment => 0,
script => 0,
process => 0,
allow => [qw [ br hr b a h1]],
],
},
);
DESCRIPTION
On request, sanitize HTML tags in all params (with the ability to
exempt some if needed), to protect against XSS (cross-site scripting)
attacks and other unwanted things.
EXTENDED METHODS
setup
See SYNOPSIS for how to configure the plugin, both with its own
configuration (e.g. whether to automatically run, whether to exempt
certain fields) and passing on any options from HTML::Scrubber to
control exactly what scrubbing happens.
dispatch
Sanitize HTML tags in all parameters (unless `ignore_params` exempts
them) - this includes normal POST params, and serialised data (e.g. a
POSTed JSON body) accessed via `$c->req->body_data` or
`$c->req->data`.
SEE ALSO
Catalyst, HTML::Scrubber.
AUTHOR
Hideo Kimura, << >> original author
David Precious (BIGPRESH), maintainer since
2023-07-17
COPYRIGHT AND LICENSE
Copyright (C) 2005 by Hideo Kimura
This library is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.