This is misinformed. Taint mode only gets enabled when running a script under differing real and effective user or group ids. Otherwise taint mode needs to be explicitly enabled in the script using the -T command line/hashbang. See perlsec.

Enforcing taint would mean a lot more programming effort in each script since even system() or open() won't work easily without explicit untainting.

Corion,

It has been my understanding that the taint mode was not explicitly turned on as well--until I encountered issues not long back with a more recent version of Perl, leading to my present uncertainty. Can you verify that the current Perl version does not automatically use taint, without it having been explicitly invoked in the script, and are you aware of any online documentation for this?

Blessings,

~Polyglot~

I don't know why the absence of an idea would be explicitly documented somewhere in the Perl documentation. But you can look through the past perldelta files, which would certainly list that change.

A quick test that Perl does not enable taint mode by default:

corion$ perl -MScalar::Util=tainted -wE 'my $fn = shift; say tainted($
+fn)' foo
0
corion$ perl -T -MScalar::Util=tainted -wE 'my $fn = shift; say tainte
+d($fn)' foo
1
[download]

The explanation in the first paragraph is explicitly defined in the hyperlink provided. Previously.