NAME

    Catalyst::Plugin::HTML::Scrubber - Catalyst plugin for
    scrubbing/sanitizing incoming parameters

SYNOPSIS

        use Catalyst qw[HTML::Scrubber];
    
        MyApp->config( 
            scrubber => {
                auto => 1,  # automatically run on request
                ignore_params => [ qr/_html$/, 'article_body' ],
    
                # HTML::Scrubber will HTML-encode some chars, e.g. angle
                # brackets.  If you don't want that, enable this setting and
                # the scrubbed values will be unencoded.
                no_decode_entities => 0,
                
                # The following are options to HTML::Scrubber
                params => [
                    default => 0,
                    comment => 0,
                    script => 0,
                    process => 0,
                    allow => [qw [ br hr b a h1]],
                ],
            },
       );

DESCRIPTION

    On request, sanitize HTML tags in all params (with the ability to
    exempt some if needed), to protect against XSS (cross-site scripting)
    attacks and other unwanted things.

EXTENDED METHODS

    setup

      See SYNOPSIS for how to configure the plugin, both with its own
      configuration (e.g. whether to automatically run, whether to exempt
      certain fields) and passing on any options from HTML::Scrubber to
      control exactly what scrubbing happens.

    dispatch

      Sanitize HTML tags in all parameters (unless `ignore_params` exempts
      them) - this includes normal POST params, and serialised data (e.g. a
      POSTed JSON body) accessed via `$c->req->body_data` or
      `$c->req->data`.

SEE ALSO

    Catalyst, HTML::Scrubber.

AUTHOR

    Hideo Kimura, << <hide@hide-k.net> >> original author

    David Precious (BIGPRESH), <davidp@preshweb.co.uk> maintainer since
    2023-07-17

COPYRIGHT AND LICENSE

    Copyright (C) 2005 by Hideo Kimura

    This library is free software; you can redistribute it and/or modify it
    under the same terms as Perl itself.