For code injection I use a Safe compartment, where I enable only OP that wont change the symbol-table or call CODE (since I enable some simple CORE functions, like time, pack, etc...):
my @PERMIT_OPS = qw(
:base_mem
null stub pushmark const defined undef
preinc i_preinc predec i_predec postinc i_postinc postdec i_postde
+c
int hex oct abs pow multiply i_multiply divide i_divide
modulo i_modulo add i_add subtract i_subtract
left_shift right_shift bit_and bit_xor bit_or negate i_negate
not complement
lt i_lt gt i_gt le i_le ge i_ge eq i_eq ne i_ne ncmp i_ncmp
slt sgt sle sge seq sne scmp
substr stringify length ord chr
ucfirst lcfirst uc lc quotemeta trans chop schop chomp schomp
match split
list lslice reverse
cond_expr flip flop andassign orassign and or xor
lineseq scope enter leave setstate
rv2cv
leaveeval
gvsv gv gelem
padsv padav padhv padany
refgen srefgen ref
time
sort
pack unpack
) ;
use Safe ;
$safe = Safe->new('CODE::INJECTION') ;
$safe->permit_only(@PERMIT_OPS) ;
## For regex insertion you should use:
my $RE = $safe->reval('qr/<\w+.*?>/s');
if ( "bla <b>bold</b> bla" =~ /$RE/ ) { print "has tag\n" ;}
my $RE_caption = $safe->reval('qr/(\d)/s');
my (@ret) = ( "a1 b2 c3" =~ /$RE_caption/g );
print "@ret\n" ; ## 1 2 3
I use it to enable confiuration files like that:
<SERVER>
port => 80
extern => 1
listen => 5
name => "Some Server Name\n and a new line"
</SERVER>
<DOMAINS>
localhost => c:\dev\www
</DOMAINS>
<MYSQL>
DB1 => { user => 'foo' , pass => '123' , host => 'domain.foo' }
<MYSQL>
Soo, the user can set Perl data structure as a entry (but need to be in one line), since I enable in the compartment the use of anonymous variables ({},[],"",'').
For what you want maybe you can unset some OP and make it more secure. Enjoy! ;-P
Graciliano M. P.
"Creativity is the expression of the liberty".
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.