Thanks Haarg++ I would never be able to discover this. Great!

In said module (Data::Roundtrip) I have one instance of feeding YAML::PP with a string. As per your suggestion I am now untainting the string thusly:

sub yaml2perl {
  my $yaml_string = $_[0];
  ...
  ($yaml_string) = each %{{$yaml_string,0}};
  my $pv = eval { YAML::PP::Load($yaml_string) };
  ...
  return $pv
}
[download]

I was previously using YAML but it failed for an (extremely) corner case with a quotes-inside-quotes string. And so I went for YAML::PP as I did not want to use YAML::XS out of concern for users in not dev-friendly environments. YAML::PP does not have a problem with aforementioned corner case.

I had another choice of restricting use of Data::Roundtrip for Perls >= 5.14. But I keep this as last resort.

Any opinions welcome.

Thank Haarg again for looking into this, bw, bliako

I did not want to use YAML::XS out of concern for users in not dev-friendly environments ... Any opinions welcome

Well, since you are soliciting opinions it would be remiss not to mention that I've found YAML::XS to be significantly faster for parsing to the point where I have modified old, third-party code to use it in preference.

It depends on your use case and that of other users of your code but you could consider employing one of the many options for conditional dependencies in this scenario rather than explicitly using the PP module.

For clarity, YAML::PP and YAML::XS are not 100% API compatible so there may be a little work involved in supporting both, should you choose to do so.

---

🦛

noted, thanks. I will take your advice and accommodate both. (which means different set of bugs depending on setup, thanks! :))