Hi Erez! On Tuesday 02 Feb 2010 15:20:16 Erez Schatz wrote: > On 2 February 2010 15:06, Shlomi Fish <shlo...@iglu.org.il> wrote: > > Ahmm... no. > > Are you physically unable to say anything in a social manner? >
I apologise for writing my posts in a rude manner. See below for my response. > > <<< > > my %hash = (3 => <<"EOF"); > > </script> > > <script type="text/javascript"> > > <!--- Insert nasty JS here ---> > > </script> > > <img src="spammer stuff."... > > This is called a cross-site scripting attack ( > > http://en.wikipedia.org/wiki/Cross-site_scripting ) and is very serious. > > If someone accessed my server, and rewrote my CGI script, I probably > don't need to worry about cross-side scripting attacks. As it is, I > specifically mentioned that this can be used to pass variables from > Perl to the html document. For the other way, I asked for the OP to > supply us with more information. You're right that in this case one will have bigger problems. However, telling beginners that they should simply interpolate variables into the HTML may lead them into thinking this is always the right thing to do, including in cases where it is a function of user-input. And then you have thousands of scripts written by beginners with XSS vulnerabilities. I believe prevention is better than the cure and that we should instruct newcomers on the proper way to write safe Perl code. Here are a few resources for that: 1. http://perl-begin.org/ . 2. http://perl-begin.org/uses/web/ . 3. http://jdporter.perlmonk.org/cgi_course/ . 4. http://community.livejournal.com/shlomif_tech/35301.html - "Code/Markup Injection and Its Prevention". > > > Please use a good JSON module to pass and encode data to JavaScript. > > No need to plead, and even so, there are other ways of passing data to > either side; Well, if you are going to assign to a JavaScript variable, you should use JSON. > however, this is a beginner-level plain CGI question, > which is a few levels lower than the point you are trying to make. It is still instructive to instruct beginners on the dangers of code/markup injection. Regards, Shlomi Fish -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ Stop Using MSIE - http://www.shlomifish.org/no-ie/ Deletionists delete Wikipedia articles that they consider lame. Chuck Norris deletes deletionists whom he considers lame. Please reply to list if it's a mailing list post - http://shlom.in/reply . -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
