My specification included (and requires) registering untaint handling callbacks with the CGI::Paranoia object on creation. This is the application's opportunity to say what is tainted and what not.
Also in the case of functuons like self_url(), the application is not well placed to say what is tainted. The application is well placed to test each parameter for taint, but to test the result of self_url() for taint it has to parse an http address. The CGI module is better placed to do this albeit deferring to the application when it is reduced down to individual parameters.
I clearly need to knock up a simple example, which I will endeavour to do before someone else posts.
Now the test script: test.pl.<html> <head><title>test.tmpl</title></head> <body> <TMPL_VAR NAME="form"> <submit/> </form> </body> </html>
The output is as follows:#!/usr/bin/perl -wT use HTML::Template; use CGI; my $q = CGI->new(); my $template = HTML::Template->new(filename => './test.tmpl',force_unt +aint=>1); $template->param(form=>$q->start_form()); print $template->output();
I think the CGI module is better placed to produce an untainted start_form() value then the application.$> perl -T test.pl <html> <head><title>test.tmpl</title></head> <body> <form method="post" action="http://localhost" enctype="multipart/f +orm-data"> <submit/> </form> </body> </html> $> perl -T test.pl blah=1 HTML::Template->output() : tainted value with 'force_untaint' option a +t test.pl line 7
In reply to Re^2: CGI::Paranoia - Re^4: Is the force_untaint option in HTML::Template overkill?
by SilasTheMonk
in thread Is the force_untaint option in HTML::Template overkill?
by SilasTheMonk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |