Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi there Monks!
I am trying to use some filter from a form in my page and I've been reading about "escapeHTML". Could someone tell me what is the best way to use this module, here is how I am currently using it, but I am not really sure if its the best way, simple code sample:
#!/usr/bin/perl -w

use strict;
use CGI qw(:standard);

use vars qw($q);

 my $comments = CGI::escapeHTML($q->param( 'comments' )) || '';

[download]
Thank you!

Replies are listed 'Best First'.
Re: Best way to use escapeHTML
by ikegami (Patriarch) on Aug 08, 2011 at 23:06 UTC

    When inserting text into HTML, pass it through escapeHTML first.

    Since you're not producing any HTML in the snippet you posted, its use of escapeHTML is premature.

[reply]
[d/l]
[select]
      Even this way?
      use strict;
use CGI qw(:standard escapeHTML);

my $q = new CGI;
my $test = "What's the big''s deal?!!?? - <script>TEST</script>";
 my $comments = $q->escapeHTML( $test ) || '';

print header();
print "test: $comments";

      [download]
[reply]
[d/l]

        Yes, that's what it's for, although your naming really sucks, and you're using || '' against the wrong thing. 

        my $comment = $cgi->param('comment') || ''; # or whatever

...

my $comment_html = $cgi->escapeHTML($comment);
print header();
print "<p>Comments: $comment_html\n";

        [download]
[reply]
[d/l]
[select]
Re: Best way to use escapeHTML
by Anonymous Monk on Aug 08, 2011 at 21:57 UTC
    This is what you're attempting to do 
    #!/usr/bin/perl --
use strict;
use warnings;
use CGI();
my $q = CGI->new;
print $q->header, $q->start_html,
    $q->escapeHTML('<><><><><><>'),
    $q->escapeHTML( $q->param('comments'), ''),
    $q->end_html;
__END__
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html
        PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-U
+S">
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
+" />
</head>
<body>
&lt;&gt;&lt;&gt;&lt;&gt;&lt;&gt;&lt;&gt;&lt;&gt;
</body>
</html>

    [download]
    CGI documentation is large, and the distribution comes with lots of examples ,there is even a book on the module.
[reply]
[d/l]
      What about like this: 
      use strict;
use CGI qw(:standard escapeHTML);

my $q = new CGI;

 my $comments = $q->escapeHTML( $q->param('comments') ) || '';

print header();
print "test: $comments";

      [download]
[reply]
[d/l]
        Why?
[reply]

Back to Seekers of Perl Wisdom