in reply to Introdutory article on cross site scripting

I'm just going to copy their horribly incorrect Listing 5: 

#!/usr/bin/perl
        use CGI;

        my $var1 = CGI->new();
        my $parameter = $cgi->param('text');

        print $var1->header();
        print "parameter";

[download]

Where is $cgi ever defined? $var1 is the cgi object. How is this script vulnerable to scripting attacks? They print out the text 'parameter', not the variable $parameter. Someone really fudged things up here.

Their methods for 'filtering' input are just weird. Anyone who just throws s/[^A-Za-z0-9 ]*/ /g; to filter input is just being... stupid? Invalid data should not be filtered out, it should be outright rejected and the user should be reprompted for valid input.

Replies are listed 'Best First'.
Re: Re: Introdutory article on cross site scripting
by jryan (Vicar) on Feb 17, 2004 at 01:39 UTC
    Where is $cgi ever defined? $var1 is the cgi object. How is this script vulnerable to scripting attacks? They print out the text 'parameter', not the variable $parameter. Someone really fudged things up here.

    Is that the worst the article has to offer? This coulda been a last-minute addition that was published after tech-review. For instance, the tech-reviewer says "Looks great, but add a small example here." Since it is so small, the author doesn't bother to send it back to tech-review. Its a mistake; it happens. Can't you look past that?

[reply]

In Section Perl News