in reply to Re^2: Security with /ee modifier
in thread Security with /ee modifier

It can be made safer by escaping this case. 
print <<"_END_";
It works!
\_END_
It really does.
_END_

[download]
which prints: 
It works!
_END_
It really does.

It works because apparently you can escape underscores with a backslash, and still have them as just a backslash. If you don't trust this perl feature — I can't say I've seen it documented anywhere, you might feel safer using something else as a delimiter, something that actually starts with a \W character, like "*END*". 

print <<"*END*";
It works!
\*END*
It really does.
*END*

[download]

There isn't even a need to try and find something uniqueish. A plain "*" will do. The complete code can then become: 

$with =~ s/^\*$/\\*/mg;
s{$this}{
  my $r = eval qq[<<"*"\n$with\n*\n];
  die $@ if $@;
  chop $r;
  $r;
}eg;

[download]

Replies are listed 'Best First'.
Re^4: Security with /ee modifier
by gaal (Parson) on Oct 05, 2004 at 07:43 UTC
    This breaks if the original contained the sequence \* .

    As for \-before-anything, it's sort of implied by the docs to quotemeta, but not really.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom