Re: Re: What Does Microsoft Think of Perl?

dragonchild with all due respect, I would disagree and assert that there's no inherent ill in using client-side Perl script, as compared to any other scripting language. Perlscript is no less secure than Javascript, or VisualBasic for that matter.

But I concur with your point that putting too much client-side code up may be a dangerous thing. There are a couple home-nodes here were you can find javascript that steals your cookies and reveals a bunch of other JavaScript holes. In the end however, the choise of proper balance is all left to developer(s) involved. There are a lot of cases where you simply can't go by without client-side scripting. Things that spring to mind are form input validation (prior to the form being submitted), some DHTML stuff, and so forth. These things are hardly prone to any exploits. The worst one could do with them is mess up webpage appearance... However, if I was presented with a choice, I'd go for PerlScript vs Javascript. ;-)

Update 1: In a gesture that could be deemed as self-defense, let me clarify that I think client-side perl is going to be somewhat limited in it's faculties than it's server-side equivalent, just as is the case with Javascript now. So, there's no reason to be panicky about PerlScript being so immensely powerful as to open ways for new creative hacks ;-).

_____________________

# Under Construction
[download]

Comment on Re: Re: What Does Microsoft Think of Perl? Download Code

Replies are listed 'Best First'.
Re3: What Does Microsoft Think of Perl? by dragonchild (Archbishop) on Jul 19, 2002 at 19:55 UTC
(I am not a JScript or VBSCript guru, so I may be wrong in a few assertions below.) Perl isn't less secure. Perl is more powerful. You cannot access the operating system with JScript or VBScript. You cannot (easily) initiate a download from some other server and execute that code. Even more importantly, Acme::Bleach doesn't exist in anything but Perl. That alone makes security checking through regex impossible. My concern is that the increased power of Perl will not come with increased safeguards on the part of the browser manufacturers or the plugin manufacturers or the OS manufacturers. THAT is what I am scared $h!tless about. ------ We are the carpenters and bricklayers of the Information Age. Don't go borrowing trouble. For programmers, this means Worry only about what you need to implement.	[reply]
Re4: What Does Microsoft Think of Perl? by Ionitor (Scribe) on Jul 20, 2002 at 14:57 UTC
As is pointed out below, this is a fairly old article. In its current state, there is little (read no) likelyhood that PerlScript will be installed by default on Windows/IE. Of course, there are those that will install PerlScript (such as myself). At one point, this was fairly dangerous, as is mentioned here. PerlScript is too powerful (it lacks the "sandbox" of JavaScript) to be used for general web scripting at the moment. Testing on my own machine, I was able to use PerlScript in a web page to delete a file on my computer, without any sort of prompt whatsoever. However, the page linked to is out of date. It says that the only way to avoid this problem is to not browse the web or turn off scripting in the browser for any machine that has PerlScript installed. Looking at the current documentation for PerlScript, there is a registry setting that limits PerlScript to certain IE Internet zones. By default PerlScript only runs in the "local intranet", which means that a random site on the web cannot use it to attack your computer. It also means that a company can choose to use client-side PerlScript on their intranet web sites without severely comprimising the security of their users' computers. In short, the current default in every version of Windows is that PerlScript is not installed. If it is installed, a client's PerlScript will not be available to regular web sites. Even if a user decided to be stupid and enable PerlScript for the Internet zone in IE, it is unlikely that many malicious sites would bother targeting their attacks on that tiny group of people (which is presumably much smaller than the group of people that will just click "yes" and install any ActiveX control that the web site asks them to).	[reply]