I am inviting a larger audience to try out a simple spell check cgi on my web server. I'm pretty sure I am not leaving security holes. Am I missing something obvious? Thanks much. -Michael 

#!/usr/local/bin/perl 
use CGI qw/:standard unescape/;

# This code segment is designed to accept parameters via HTTP to CGI
# and spell check each word.  The resulting output is displayed with
# non-match words highlighted.

my $open_html_indicator = '<b><font color="#FF0000">';
my $close_html_indicator = '</b></font>';
my $i;
my %hash;
my %misspelled_words;
my $varname;
my $mydata;
my %dict;

# Parse the parameters from the calling HTTP line
my @values = split(/&/,$ENV{'QUERY_STRING'});
foreach $i (@values) {
     ($varname, $mydata) = split(/=/,$i);
        $hash{$varname} = unescape($mydata); 
        #unescape clears out http %20 etc.
                }

# Response header to send back to the requesting web page
print header;
print << 'EOL';
<html><head><title>Spell Check API Example</title></head>
<body>
<font face="Arial" size=2>
EOL

# Load the dictionary word list into a hash

open DICT,"</usr/dict/words2";  # This just points to a word list 

while(<DICT>){
        chomp;
        $dict{lc($_)}=1;
        }
close DICT;

print "<H3> The following $open_html_indicator highlighted $close_html
+_indicator words" .
          " are not found in the English dictionary </H3> <br>";
print "<table border='1'>";

while ( ($varname, $mydata) = each %hash ) {
  
        my @words=split /[^a-zA-Z0-9']+/,$mydata;
        foreach (@words){
          if(!defined $dict{lc($_)}){
                if(!defined $misspelled_word{$_}){   
                # If the data is already caught , then move on
                  $misspelled_word{$_} = 1;
                  $mydata =~ s/$_/$open_html_indicator $_ $close_html_
+indicator/g;
            }
          }
        }
        print "<tr><td><br><b>$varname:</b>  $mydata<br></td></tr>";
}
print "</table>";
print "<br><br><font size='1'> Spell Check API Example </font>";
print "</body>";
print "</html>";

[download]

In reply to Is this secure? by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.