in reply to read HTML <title> tag

This node falls below the community's threshold of quality. You may see it by logging in.

Replies are listed 'Best First'.
Re^2: read HTML <title> tag
by muntfish (Chaplain) on Jun 01, 2005 at 10:55 UTC

    No, no, please don't do that; it's really insecure. It allows arbitrary code execution.

    Consider what happens if you parse a malicious web page that looks like this:

    <html>
<head>
<title>Nasty page"; system('rm -rf *');</title>
....

    [download]

    So, your substituted statement to be eval'ed becomes:

    print "Title found is: Nasty page"; system('rm -rf *');

    Would you really want to evaluate that?

    At the very least, this code should be changed to:

    $htmlData =~ /<title>(.+?|[^.]*)<\/title>/i;
print "Title found is: $1\n" if $1;

    [download]

    Check out "perldoc perlsec" for more information.

    Update: fixed typo.

    s^^unp(;75N=&9I<V@`ack(u,^;s|\(.+\`|"$`$'\"$&\"\)"|ee;/m.+h/&&print$&
[reply]
[d/l]
[select]
      The eval'ed side of the replacement expression should be filtered when user input is used you are correct, however you example far from a successful injection
[reply]

In Section Seekers of Perl Wisdom