Re: RFC: CGI::Taintless

$self->{__Taintless_param_check} = "^$\[\\w\\\_\]\{1\,$max_param_len\}$\$";

I think it's hard to get the number of backslashes right. Maybe you want to use qr{...} instead? Also $ in a regex allows a trailing newline before the end of the string - is this what you want? If not, use \z instead.

Somehow I think that CGI::Taintless isn't a very good name at all. Your focus should be on validating CGI params, with the side effect of untainting them. Maybe something along the lines of CGI::RegexValidate might be more appropriate as a name?

Note that passing unvalidated CGI params to the output is a security risk, because it allows cross-site-scripting - unless you escape it. So the tests in your sample program fail for a good reason.

Usually I take the approach of trying to validate as little as possible, because I don't know how to validate. If there's a field for the real name of a user, how do you validate that? And if you do it, are you sure that all possible names in all human languages (of which there are quite many) are actually accepted? How do you test that?

Instead I use placeholders for my DB queries, and set the default_escape option of HTML::Template (or HTML::Template::Compiled) to html, and care as little as possible about the contents of the fields.

So for me this module makes only very little sense, but of course I can't speak for everyone, and I can well imagine that other perl hackers might find it useful.

Comment on Re: RFC: CGI::Taintless Select or Download Code

Replies are listed 'Best First'.
Re^2: RFC: CGI::Taintless by blazar (Canon) on Sep 24, 2008 at 13:32 UTC
Somehow I think that `CGI::Taintless` isn't a very good name at all. Your focus should be on validating CGI params, with the side effect of untainting them. Maybe something along the lines of `CGI::RegexValidate` might be more appropriate as a name? I personally believe that validating with regexen is fine and all, but the OP may want to extend his module to a more generic validating one allowing e.g. subs, arrayrefs (possibly to be matched against `~~`) and whatever. Then I do know that actual untainting is performed by means of regexen, but then indeed it could be done so anyway, if those other "objects" match. Then he could name his module `CGI::Validate::Untaint`. PS: [OT] I lost track of the `~~`'s return value in list context issue, which you brought up to p5p: how did it end? `--` If you can't understand the incipit, then please check the IPB Campaign.	[reply] [d/l] [select]
Re^3: RFC: CGI::Taintless (~~ in scalar context) by moritz (Cardinal) on Sep 24, 2008 at 14:31 UTC
I lost track of the ~~'s return value in list context issue, which you brought up to p5p: how did it end? The answer in short was "we don't know if it's a bug or a feature because we don't know what ~~ should really do". (Not literally, though). The fine p5p hackers long wanted to review smartmatch semantics, and this question encouraged them to actually do it. aristotle is now investigating how the Perl 6 smartmatch semantics changed since the perl 5 version was implemented, and plans to give p5p some feedback. Then they (or we) will try to decide what the best semantics for Perl 5 are.	[reply]