comment on

This question is related to one I posted earlier in which I had limited the form to certain specific operations. I now wish to expand it to allow a more savvy user to enter their own regex to make substitutions on the text.

I desire to make an application where a logged-in user (maybe just me) may enter a substitution regex in order to make edits to a body of text in a database. The substitution needs to allow captured groups, and evaluate properly in perl when it is executed.

Suppose we have the following:

#FROM DATABASE TEXT
$line = "Her house is on 34th Mt. Whitney St. near St. Mt. Helens St."
+;

#FROM INCOMING FORM INPUTS
$query = "(St\.\s)(Mt\.\s)(?=Helens)";
$substitution = "Mount ${1}";    # USER MAY HAVE ENTERED "$1"

#FOR RETURNED HTML HIGHLIGHT OF CHANGES
$start = qq|<span class="highlight">|;
$end = "</span>";

return "Regex containing code disallowed." if $query =~ m[\(\?\??\{];
return "Regex containing code disallowed." if $substitution =~ m[\(\?\
+??\{];


my $replace = sub {
  my $evaluate = sub {
      return eval($1);
  };
    my $val = $substitution;
    $val =~ s/(\$\{\d+\})/$evaluate->()/eg;
    $val = "$start$val$end";
    return eval($val);
};

    $line =~ s/$query/$replace->()/eg;

#EXPECTED TEXT AFTER SUBSTITUTION
$line = "Her house is on 34th Mt. Whitney St. near Mount St. Helens St
+.";
[download]

However, the above does not perform properly, hence this question. It seems that eval will only work on an actual variable, and not when mixed with other text. Furthermore, in order to ensure I am doing the eval on every possible capture group, I need to iterate over the substitution side looking for each one, and the nested eval seems problematic. I'm not sure if this is the problem--or what to do about it.

Yes, I have had to use some careful processing to untaint these inputs before this segment of the code, but I think that part is working--so assume there are no issues with taint at this point, and that the user's original input is unchanged--though feel free to suggest a better method for untainting that would dovetail nicely with the code above.

Note that code in the regex is explicitly disallowed for security purposes--and because it should be wholly unnecessary for my application. With no code, no other variables should be applicable--I only want the captured groups to properly evaluate via their ordinary $1, $2, etc. notations.

EDIT: A solution to this issue was posted by "jo37" in his second post below.

Blessings,

~Polyglot~

In reply to [SOLVED] Evaluating user-entered captured groups during Perl substitution by Polyglot

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


more useful options
	PerlMonks