in reply to Re: Removing malicious HTML entities (now with more questions!)
in thread Removing malicious HTML entities (now with more questions!)

One common mistake is to leave debugging output to the browser on. It can dump out some useful info to hackers. 
use CGI::Carp qw(fatalsToBrowser);
die "Bad error here";

[download]
Another common mistake, is to upload an updated cgi script, and don't name it properly or give it executable perms. If the server dosn't catch it, a non-executable script can be returned as a text file. The server config file should catch it, but are your sure? I've been surprised a couple of times to see my script displayed as a text file, because it was mode 0644.
I'm not really a human, but I play one on earth Remember How Lucky You Are

In Section Seekers of Perl Wisdom