But even if I were to present a list with a fixed list of paths, I would still end up needing to clean up and untaint that incoming variable anyways.
Right. Good point. (Sorry I didn't think of that at first... did I mention that web programming is something I do relatively seldom in my job?)
So, if you have the list that you present on people's browsers, and you get back a parameter string, rather than trying to untaint the parameter string, you just need to check whether it's an exact match to a particular string in your list of allowable paths. And this would be easy if you just store the allowed path list as keys of a hash.
Once you establish that it does match, you don't really need the parameter string after that (no need to untaint it) -- just use the matched item from your list (which the script reads directly from the server). And if there was no match, you just send whatever alternative feedback you deem appropriate...
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.