Re^2: CGI script security: putting untainted input into a qr//

thanks!

I'm only wondering about the cross-site-scripting because I'm printing text/plain, so in theory no html is shown/executed, or is there?

Comment on Re^2: CGI script security: putting untainted input into a qr//

Replies are listed 'Best First'.
Re^3: CGI script security: putting untainted input into a qr// by merlyn (Sage) on Apr 14, 2005 at 02:39 UTC
Didn't notice the 'text/plain', but I figured you'd eventually wire this into a real web site, hence the notice. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^3: CGI script security: putting untainted input into a qr// by MidLifeXis (Monsignor) on Apr 14, 2005 at 17:36 UTC
IIRC, IE will try to do the right thing (for its definition of the right thing). Even if you make it text/plain, I think it may render it as HTML if it looks like HTML. Update: Just checked this, and yes it does. The following code, in s.txt, renders as HTML in IE. `<A HREF="/">Root</A> <IMG SRC="/logo.jpg">` [download] --MidLifeXis	[reply] [d/l]