Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Convert characters to HTML entities 2

Status
Not open for further replies.
petey

petey

Programmer
Mar 25, 2001
383
US
Anybody have, or know of, a way to convert characters into HTML entities in Perl? This is not URL escaping (%nn), but rather HTML escaping (&#nnn;).

I want to echo user input out to the browser for display, but display it literally, avoiding "payload" code being executed in the user's browser as if it were from of my site.

Such a thing would be useful for stopping cross site scripting (XSS) in it's tracks.

Thanks,
petey
 
Sort by date Sort by votes
Why do you need to output as pure HTML?
Print the user input as a string but only allow A-Z, a-z, punctuation and numbers you will prevent those wily little blighters from hi-jacking your code.

Hope this helps
Keith

If I look like Polar bear, have fur like a Polar Bear and have big feet like a Polar Bear - Why am I so damn cold?
 
Upvote 0 Downvote
For the 99.9% of users who are not wily blighters! :)

I'd like them to see what they entered in full, but not have it execute.

petey
 
Upvote 0 Downvote
wrap it in <pre></pre> tags??? 'hope this helps

If you are new to Tek-Tips, please use descriptive titles, check the FAQs, and beware the evil typo.
 
Upvote 0 Downvote
No dice. PRE tags still allow other tags and such to be rendered.

petey
 
Upvote 0 Downvote
I think I could better have stated myself by saying &quot;Numeric character references&quot; rahter than &quot;HTML entities&quot;.

Here's a link about it.

Is there a mechanism in Perl that translates a character into a Latin-1 decimal numeric equivalent?

petey
 
Upvote 0 Downvote
If I understand you correctly then the following will work. It replaces each character of a string with its decimal equivalent encoded so that a browser will read it correctly.
Code: 
$encoded = join '', map { '&#38;#'.ord.';' } split //, $string;

(Ha, I had to use this code to encode '&#38;#' to get it to show up correctly)

jaa
 
Upvote 0 Downvote
You could also do
Code: 
$string =~ s/(\W)/'&#38;#'.ord($1).';'/eg;
which would only encode 'dangerous' characters.

jaa
 
Upvote 0 Downvote
Thanks justice41. This is pretty much exactly what I was looking for.

-petey
 
Upvote 0 Downvote
Does someone know how to escape urls then. (URL Escaping mentioned earlier)?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rob54321
  • Locked
  • Question
Perl how to read line from file with interpolation 1
Replies
6
Views
628
rob54321
rob54321
newbie1238585
  • Locked
  • Question
Perl how to read string in csv file * as wildcard operator
Replies
2
Views
345
mikrom
mikrom
ss_ham
  • Locked
  • Question
in Perl find call looking to exclude folder and ignore duplicate finds.
Replies
2
Views
316
ss_ham
ss_ham
Dino_1000
  • Locked
  • Question
Use the perl debugger to dump all the data in a string variable
Replies
0
Views
293
Dino_1000
Dino_1000
audiopro
  • Locked
  • Question
HTML::Template
Replies
0
Views
184
audiopro
audiopro

Part and Inventory Search

Sponsor

Back
Top