package Template::Plugin::StripScripts; use strict; use HTML::StripScripts::Parser; use base qw (Template::Plugin::Filter); our $VERSION = 0.02; sub init { my $self = shift; $self->{_DYNAMIC} = 1; $self->install_filter($self->{_ARGS}->[0] || 'stripscripts'); $self; } sub filter { my ($self, $text, $args, $config) = @_; my $parser_options = delete $config->{ParserOptions}; my $hss = HTML::StripScripts::Parser->new( $config, ref $parser_options eq 'HASH' ? %$parser_options : undef, ); return $hss->filter_html($text); } 1; __END__ =head1 NAME Template::Plugin::StripScripts - TT plugin to filter HTML against XSS =head1 SYNOPSIS [% USE StripScripts %] [% FILTER stripscripts Context => 'Document', BanList => ['br' 'img'], BanAllBut => ['p' 'div' 'span'], AllowSrc => 1, AllowHref => 1, AllowRelURL => 0, AllowMailto => 0, EscapeFiltered => 0, Rules => { See the POD of HTML::StripScripts }, ParserOptions => { strict_names => 1, strict_comments => 1, }, %] ... HTML which can cause XSS ... [% END %] or [% myhtml | stripscripts options_like_above %] =head1 DESCRIPTION Template::Plugin::StripScripts is a Template::Toolkit plugin to filter HTML and strip scripting snipets which can cause XSS. Additionally, due to some nice features from L, this module can work really flexibly on treating HTML. For more details about filter options, consult the documentaion of L. =head1 SEE ALSO =over 4 =item * L