Call me naive, but I never considered Perl's taint mode to be very important for programming secure web applications.

I use it for my CGI scripts, but so far I don't think it ever prevented any malicious actions.

That's probably because my scripts don't work much with the file system, but instead they access a database. (If they do access the file system, it's always with a white listing approach). With DBI's placeholders there's no malicious value an intruder might enter to compromise the database.

For output I use HTML::Template::Compiled with the default_escape => 'HTML' option, so even for "malicious" values (containing HTML meta characters) I don't any HTML injected.

So the "classical" security bugs don't really threaten my CGI scripts - it's more a possible forgotten authentication check or so (or maybe XSRF) that might threaten them - but for those taint mode doesn't really buy me anything at all.

I absolutely understand that taint mode does not capture everything but it does capture a lot, and as far as I know has no drawbacks save the fact that too many modules were not written with it in mind. I believe it to be a useful tool.

Actually I my emphasis was not actually on taint, but can people take more interest in a systematic approach to security and learn form security practices in other languages as described in OWASP? One OWASP principle is "Defence in depth". As such why through away one possible line of defence?

Which means you already do all the things tainting would try to force you to without the need to be bugged by it. Good for you but ... the fact that you decided to drive safely, slow down in villages and towns, etc. etc. etc. doesn't mean other people do not need to be forced to slow down. You would not notice there's a speed limit, because you already drive below without being told. Others need to be told.

BTW, default_escape => 'HTML'? What if the value needs to end up in some JavaScript? Or a URL?

Update: s/willages/villages/, thx marto.

Jenda
Enoch was right!
Enjoy the last years of Rome.

BTW, default_escape => 'HTML'? What if the value needs to end up in some JavaScript? Or a URL?

You would declare the escape type in the template:

<a href="/foobar/<TMPL_VAR myurl ESCAPE=URI">...</a>
[download]

You can also use ESCAPE=NONE inside the template if you consciously want to interpolate HTML. The point is just that if you don't think of escaping at all, there's a safe default which does not lead to XSS holes.

Perl 6 - links to (nearly) everything that is Perl 6.

I think perl should be a bigger part of OWASP.

This is not to say that Perl web-app security isn't important -- it is -- but these various Alliance for Mom and Apple Pie outfits are pretty silly.

That sounds like an argument against all human endeavor. Of course some ventures do fail, but the successful ones probably had denigrators too.

That sounds like an argument against all human endeavor.

Not at all -- just an argument against people creating phony "alliances" or "movements." In politics, it's called "astroturf." In the tech industry, it's called "PR," and usually starts with as "FooCorp, the leader in blah blah."

I was however quite disappointed to see that there was nothing about perl on it.

There are OWASP projects for Java and .NET etc. Also the wiki rules had specific requirements on capitalization, so I may have got confused by the convention shift when coming back to perlmonks (if I ever desperately cared about it anyway).