in reply to simple form post question

You could have posted the full script. Anyways: 
#!/usr/bin/perl
use CGI;
use strict;

my $q = CGI->new;

my $string = $q->param('content');  # the posted string.
$string =~ s/\r?\n$//s; # remove trailing CRLF

if ($string =~ /foo/) { # decide what to do depending on input
    print $q->redirect('http://host.tdl/some/other/uri');
}
else {
    print $q->header,$q->start_html;

    if($string) {
        # print "<p>You posted: $string\n";   # <-- bad
        # what oxone said below - avoid XSS attacs
        print "<p>You posted: ",$q->escapeHTML($string),"\n"; # <-- be
+tter
    } else {
    print <<EOH;
<form action="/cgi-bin/posttest.cgi" method="POST">
<textarea name="content" cols=40 rows=4>Enter data here.
</textarea>
<input type="submit" value="Process">
</form>
EOH
    }
    print $q->end_html;
}

[download]

update: fixed XSS vulnerability. Thanks, oxone.

--shmem 

_($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}

Replies are listed 'Best First'.
Re^2: simple form post question
by oxone (Friar) on Dec 13, 2007 at 11:54 UTC
    By the by, this is also a great example of how to open up your site to cross-site scripting vulnerabilities.

    It's always a bad idea to take some CGI input, then display it right back to the browser. The user may enter HTML tags, Javascript etc. which might then disrupt your returned page.

    I'd recommend always doing this if displaying back submitted data into the browser: 

    print $cgi->escapeHTML($string);

    [download]

    This 'escapes' any meaningful characters such as angle brackets, so the browser will just display them literally.

[reply]
[d/l]

In Section Seekers of Perl Wisdom