http://qs1969.pair.com?node_id=539378

jesuashok has asked for the wisdom of the Perl Monks concerning the following question:

This node falls below the community's threshold of quality. You may see it by logging in.

Replies are listed 'Best First'.
Re: taint mode perplexities
by liverpole (Monsignor) on Oct 06, 2006 at 11:59 UTC
    At this site, the following was written on March 25, 2006:
    I have been reading up on web security and I am getting paranoid. I operate under taint mode - although I must confess to being a little in the dark as to what that means. I am using the following code in order to filter input from a form. CODE $TEST =~ s/[^a-zA-Z0-9@\/.,: ]//g; It works as expected but I am trying to make it as secure as possible +and found that if a user enters '<SCRIPT>' into a form field it treats it +as a Java Code and it is not filtered. I assume that I could follow this wi +th some other code and do some harm. I need to avoid this security hole and ob +viously I could check for the word '<SCRIPT>' in STDIN. Is there a better way of doing this and what other holes should I be a +ware of? Keith

    s''(q.S:$/9=(T1';s;(..)(..);$..=substr+crypt($1,$2),2,3;eg;print$..$/

      In a really odd twist, I note that the orriginal title of this node as "audio program" ... while "audiopro" is the nick used by "Kieth" on tek-tips.com

Re: taint mode perplexities
by zer (Deacon) on Mar 27, 2006 at 07:31 UTC
    if you are taking input as a CGI environment and you are woried about re-displaying code that has been input into your forms. It is true that there are some backends with scripts. However they are not being run on the server, so that will be secure. However the users viewing the script may be vulnerable. It isnt a bad idea to block out all script tags for their sake.