There's one small caveat with your code. If you are using
CGI::Carp _and_ malicious data fails, the data will
be printed out back to the browser, data, which could have been construed just to be sent back to
the browser (for example, the Slashdot-Cookie-Stealer worked that way, by giving you an URL that was like
http://www.slashdot.org/non-existing-directory/<SCRIPT>... evil JavaScript ...
, which was then printed out by Slashdot back to the browser, and then run in the browser.
My strategy would be to just log taint-failed data into a file, as you never know exactly how that data got to
your machine. Of course, maybe using HTML::Entities could prevent such misuse, as the
text will then come back literally instead of interpretable ...
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|
