Re^2: CGI script security: putting untainted input into a qr//


Pathologically Eclectic Rubbish Lister
	PerlMonks

Re^2: CGI script security: putting untainted input into a qr//

by eXile (Priest)

on Apr 14, 2005 at 02:38 UTC ( [id://447640]=note: print w/replies, xml )

Need Help??

in reply to Re: CGI script security: putting untainted input into a qr//
in thread CGI script security: putting untainted input into a qr//

thanks!

I'm only wondering about the cross-site-scripting because I'm printing text/plain, so in theory no html is shown/executed, or is there?

Comment on Re^2: CGI script security: putting untainted input into a qr//

Replies are listed 'Best First'.
Re^3: CGI script security: putting untainted input into a qr// by merlyn (Sage) on Apr 14, 2005 at 02:39 UTC
Didn't notice the 'text/plain', but I figured you'd eventually wire this into a real web site, hence the notice. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^3: CGI script security: putting untainted input into a qr// by MidLifeXis (Monsignor) on Apr 14, 2005 at 17:36 UTC
IIRC, IE will try to do the right thing (for its definition of the right thing). Even if you make it text/plain, I think it may render it as HTML if it looks like HTML. Update: Just checked this, and yes it does. The following code, in s.txt, renders as HTML in IE. `<A HREF="/">Root</A> <IMG SRC="/logo.jpg">` [download] --MidLifeXis	[reply] [d/l]

In Section Seekers of Perl Wisdom

Log In^?

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://447640]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others goofing around in the Monastery: (2)

As of 2024-04-19 19:34 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found