Re: CGI script security: putting untainted input into a qr//

Because you don't have use re 'eval' in scope, you're safe from arbitrary code execution. However, you might still get a denial-of-service attack on a long running regex, or perhaps a cross-site-scripting attack because you haven't escaped your less-thans in your print.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Comment on Re: CGI script security: putting untainted input into a qr// Download Code

Replies are listed 'Best First'.
Re^2: CGI script security: putting untainted input into a qr// by eXile (Priest) on Apr 14, 2005 at 02:38 UTC
thanks! I'm only wondering about the cross-site-scripting because I'm printing text/plain, so in theory no html is shown/executed, or is there?	[reply]
Re^3: CGI script security: putting untainted input into a qr// by merlyn (Sage) on Apr 14, 2005 at 02:39 UTC
Didn't notice the 'text/plain', but I figured you'd eventually wire this into a real web site, hence the notice. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^3: CGI script security: putting untainted input into a qr// by MidLifeXis (Monsignor) on Apr 14, 2005 at 17:36 UTC
IIRC, IE will try to do the right thing (for its definition of the right thing). Even if you make it text/plain, I think it may render it as HTML if it looks like HTML. Update: Just checked this, and yes it does. The following code, in s.txt, renders as HTML in IE. `<A HREF="/">Root</A> <IMG SRC="/logo.jpg">` [download] --MidLifeXis	[reply] [d/l]