Your friend here is the -T switch. You should put it at the beginning of your shebang line switches:

#!/usr/bin/perl -Tw

(the w is the warning switch, which you probably want enabled, as well as the <kbd>use strict;</kbd>)

It will taint the incoming parameters, reducing drastically the potential security issues. You may also want to read perlsec for more detailed advices on perl security.

OeufMayo,

Thanks for the quick reply. I've added taint checking and I only had to modify one routine to untaint some data.

But I'm still faced with the potential of rouge input. For example I've experienced this nice bit of input in a message board.



<marquee onstart=for(i=0;i<500;i++)prompt()>
[download]



This dosent seem to affect Netscapt but IE gets hit and pops a window up 500 times. Since the program needs to accept HTML, is there a good way to eliminate stuff like this ?

TIA,

-- Brian

I don't have some code around to do this, but you might want to check HTML::Parser or HTML::TokeParser.

The idea is to scan the user input for tags or attributes you don't want him/her to use (<SCRIPT>, <MARQUEE>, etc...), strip them and store the resulting HTML field.

<kbd>--
PerlMonger::Paris(http => 'paris.pm.org');</kbd>