pass raw html code via post

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I have a form that recieves values for sending an email. I am wanting the user to be able to input raw html code into a textarea form element. Posting this data through multiple scripts results in the data being corrupted and chomped. How can I pass raw html code recieved via a cgi textarea and pass this data from script to script without corrupting the data. I am currently posting the data via the hidden tag.

print $query->textarea(-name=>'message',
                       -rows=>10,
                       -columns=>50);

then ...

my $message = $query->param('message');
...
<input type="hidden" name="message" value="$message">
[download]

Thank you

Comment on pass raw html code via post Download Code

Replies are listed 'Best First'.
Re: pass raw html code via post by Joost (Canon) on Aug 03, 2005 at 12:17 UTC
You need to html-escape the $message in your HTML form. CGI.pm's form methods do this automatically, so in this case you can simply do `print $query->hidden('message');` [download] to generate the hidden field. Otherwise, you can use `$escaped = $query->escapeHTML($message); # .. <input type="hidden" name="message" value="$escaped">` [download] Or use Template: `<input type="hidden" name="message" value="[% $message \| html %]">` [download] "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply] [d/l] [select]
Re: pass raw html code via post by CountZero (Bishop) on Aug 03, 2005 at 12:28 UTC
Posting this data through multiple scripts results in the data being corrupted and chomped. Yes ... it must be that these scripts do something with this data causing it to become "corrupted and chomped" but without at least giving us an indication of what these scripts do, it is difficult to tell. Please try to provide us with a minimal script that shows this behaviour, otherwise it's impossible to give you any real help. CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply]
Re: pass raw html code via post by ww (Archbishop) on Aug 03, 2005 at 16:07 UTC
Not to be offensive (please grin, while reading the following as well-meant but emphatic) ... Are you utterly MAD? Unless you have sole and absolute control of any and all input devices that might be able to use your form and thereafter assure that NO part of the the input is ever subject to an eval or system call or (...the list goes on and on), you're just begging for trouble... anything from user_error on the .html input to knowledgeable exploits!	[reply]
Re: pass raw html code via post by rvosa (Curate) on Aug 03, 2005 at 14:44 UTC
Is it a good idea to pass around and insert code from user input? What about javascript hacks, for example?	[reply]