in reply to Re: Perl, JavaScript and quoting/escaping
in thread Perl, JavaScript and quoting/escaping

This starts it all: 
print '<a href="#" onClick="var xmlHttp = null;
    xmlHttp = new XMLHttpRequest();
    xmlHttp.open( &quot;GET&quot;,
      &quot;/cgi-bin/bid.js?aid='.(
        $rBid->{cgi}->param('aid')||-1
      ).'&quot; , false );
    xmlHttp.send( null );
    eval(xmlHttp.responseText);
    return false;">[Bid]</a>
';

[download]

In the above I'm scared that content from the client is being passed without first being quoted. I should escapeHTML this at the vary least, but this is not enough and whatever function I used needs to be secure enough for the job... Ideally I'd only use something provided by the specific make, model, and version of the processor. Understanding this is a remote web browser I'm willing to make certain concessions... Like using escapeHTML or URL escape functions provided by notable CPAN modules.

This is where the problem is: 
print $rBid->{session}->header(-type=>'text/javascript');
my $sth = $rBid->{dbh}->prepare(
'INSERT INTO bid VALUES (?, (SELECT bidder_username
  FROM session WHERE id=?));') or die $rBid->{dbh}->errstr;
$sth->execute($rBid->{cgi}->param('aid'),
  $rBid->{session}->id()||'undef') or
  print 'alert("Error: '.
    $rBid->{cgi}->escapeHTML($sth->errstr).'");'."\n";

print 'alert("Bid(s) Placed: '.
  $rBid->{cgi}->escapeHTML($sth->rows).'");'."\n";

[download]
The escapeHTML above is interpreted by the JS and not the HTML processor, as there is no HTML processor. I could switch to using alert('... but then I'd need to escape '.

Replies are listed 'Best First'.
Re^3: Perl, JavaScript and quoting/escaping
by Anonymous Monk on May 06, 2011 at 03:37 UTC
[reply]
Re^3: Perl, JavaScript and quoting/escaping
by ikegami (Patriarch) on May 06, 2011 at 05:19 UTC

    print 'alert("Bid(s) Placed: '. $rBid->{cgi}->escapeHTML($sth->rows).'");'."\n";

    You are generating JavaScript code using something called escapeHTML. Yeah, that's not going to work. Perhaps you should be using the function I posted that generates JavaScript code instead...

[reply]
[d/l]
[select]
      *sigh*

      This does something even if it doesn't produce the best results. I wouldn't be asking for help if I was doing the correct thing.

      This string contains "(s) and it just so happens that escapeHTML changes them to something else. Thus this code will run without errors, even if the output it generates is not correct. With zero escaping the code fails to compile just after the second ".

      As for the part you've taken above to mean something other then "Directly above this line of text" and instead as though top/bottom adjective were used. I think if you re-read it you'll see that I was talking about text/html and text/javascript respectively. Such that my statements about above make sense.

      Ohh yes, my question is "WHERE CAN I FIND A FUNCTION THAT WILL DO WHAT YOU THINK I NEED A FUNCTION TO DO?" So every thing we are arguing about is completely pointless as you understand clearly what I am asking for. I don't know why you replied, but I'm replying mainly to read myself type.

[reply]
[d/l]
[select]

        WHERE CAN I FIND A FUNCTION THAT WILL DO WHAT YOU THINK I NEED A FUNCTION TO DO?

        Huh??? How can you not know that it can be found here (text_to_js_lit)? This post points to a couple of others.

        So every thing we are arguing about is completely pointless as you understand clearly what I am asking for.

        Huh??? I didn't argue about anything. I've been trying to make sense of your posts. They've been filled with errors and they've been downright cryptic. And now I shall add mind-boggling to the list.

        No, I honestly did not think you located this old post of mine only to ask where it can be found!

[reply]
[d/l]

In Section Seekers of Perl Wisdom