- Just rendering any user input in an html page without checks can be considered a security risk. Especially if that input is also viewed bij other users (so called cross site script attacks). For instance, see this article on perl.com. Your best bet is to disable as much as possible (only allow <b> and <i>, for instance) and HTML-escape the rest. Also note that not verifying user input can be a big risk if the called functions also don't check their input for sane values.
- You should make your "functions.lib" not accessible to browsers, then, as long as the .cgi script does good checks on who is calling what in the functions library, you'll be allright. Your insecurity about this issue makes me wonder, though. Can you show some code?
the real question is this : if someone knew the code of my scripts you think he could find some hole?
Not easy to say, since I haven't seen your code :-) The magic 8-ball says
very likely.
Joost.