in reply to Re: Security with /ee modifier
in thread Security with /ee modifier

Which *is* more resilient, but not bulletproof, as I've pointed out. It breaks if $with contains "\n_END_\n" or starts with "_END_\n".

Replies are listed 'Best First'.
Re^3: Security with /ee modifier
by bart (Canon) on Oct 05, 2004 at 05:48 UTC
    It can be made safer by escaping this case. 
    print <<"_END_";
It works!
\_END_
It really does.
_END_

    [download]
    which prints: 
    It works!
_END_
It really does.

    It works because apparently you can escape underscores with a backslash, and still have them as just a backslash. If you don't trust this perl feature — I can't say I've seen it documented anywhere, you might feel safer using something else as a delimiter, something that actually starts with a \W character, like "*END*". 

    print <<"*END*";
It works!
\*END*
It really does.
*END*

    [download]

    There isn't even a need to try and find something uniqueish. A plain "*" will do. The complete code can then become: 

    $with =~ s/^\*$/\\*/mg;
s{$this}{
  my $r = eval qq[<<"*"\n$with\n*\n];
  die $@ if $@;
  chop $r;
  $r;
}eg;

    [download]
[reply]
[d/l]
[select]
      This breaks if the original contained the sequence \* .

      As for \-before-anything, it's sort of implied by the docs to quotemeta, but not really.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom