HTML input string that starts with >'>

wcnardone has asked for the wisdom of the Perl Monks concerning the following question:

I'm update some old perl web code that was not checking input parameters from the web page for invalid characters and/or scripting code. I'm already using the HTML::StripScripts::Parser to strip out most of the invalid input, but one of the hacker input strings starts with >'> and any use of the string in a comparison or other string function does not behave properly, like comparing the initial string to the stripped string. The length function seems to be the only one that works.

Any ideas on how to handle the original string?

Comment on HTML input string that starts with >'>

Replies are listed 'Best First'.
Re: HTML input string that starts with >'> by Corion (Patriarch) on Feb 01, 2010 at 21:03 UTC
Maybe you want to show us your code, the input, and what error(s) you get when the two come together? Maybe you want to read perlop, especially on the `eq` operator for string comparison. Alternatively, read perlre, about regular expressions that could match such a string. Maybe you just want to play it safe and HTML-escape all parameters before interpolating them into any HTML output, as you should, potentially by using HTML::Entities?	[reply] [d/l]
Re^2: HTML input string that starts with >'> by wcnardone (Initiate) on Feb 01, 2010 at 21:13 UTC
Thanks. Found the problem, html > in string instead of >	[reply]
Re: HTML input string that starts with >'> by aquarium (Curate) on Feb 01, 2010 at 22:14 UTC
Just as a precautionary measure, one should not attempt to fix invalid input. Therefore a parameter failed match against valid character set (usually restricted to a-zA-Z0-9) immediatelly rejects the parameter and doesn't try to do anything else with it. Otherwise one ends up digging own hole. the hardest line to type correctly is: stty erase ^H	[reply]