in reply to Interpolation of variables in stored HTML

Using a template framework is the right answer. Several good ones have been suggested. You should know, your code as it stands is probably insecure. I am guessing from the snippet that you aren't using strict and that you are doing something like this?

%in = CGI->Vars;

[download]

If so—or if the input is coming from users at any stage without being vetted—a malicious URL can be passed to your form and it could do anything from erase or take over your site to hijack other users' accounts. All user input that is displayed as HTML must be HTML encoded: HTML::Entities. Don't save a security "clean-up" pass for last. Have it in mind always: OWASP. Text::Xslate in particular does HTML encoding by default.

Replies are listed 'Best First'.
Re^2: Interpolation of variables in stored HTML
by tel2 (Pilgrim) on Nov 04, 2016 at 02:58 UTC
    Thank you My Mother.

    Are you talking about someone putting a malicious URL in the firstname field, for example?
    Are you able to give me an example of a malicious URL which could do such damage, please?
    I'm using placeholders for storing the CGI parms into the database.

    Thanks again.

[reply]

      Anonymous Monk is right. If a hacker can put anything at all into your webpage they can insert JavaScript, a tag with a style attribute that imports a tracking URL to monitor other users who view the info in the future, or this one if the data goes to the DB: Exploits of a Mom.

[reply]

      If you don't escape/encode/filter the values you get from database, then the resulting html can be anything, it can be <form action=http... .... javascript ... so submit doesn't post the data you want, to the url you want .... whos writing the page, the author/programmer or internet stranger?

      Also no ReadParse no CGI->Vars they corrupt data

[reply]
[d/l]

In Section Seekers of Perl Wisdom