Thanks for the warning! My users do, in fact, need security clearance to access this module.
Matthew Kaiser – IT Department Ext. 6138 From: Angus Lees [mailto:g...@inodes.org] Sent: Tuesday, June 30, 2015 9:31 PM To: Kaiser, Matthew; Andrew OBrien Cc: embperl@perl.apache.org Subject: Re: Processing user created html alongside epl html Just a warning: You're now executing code provided by users on your server. If you don't trust these users, you'll want to restrict what opcodes are available to them: http://www.embperl.org/embperl/pod/doc/doc13/HTML/Embperl.-page-9-.htm A good test case might be to see what happens when the user provides some embperl mixed with their HTML: "<p>This is my DoS attack: [- while (1) {} -]" - Gus On Fri, 26 Jun 2015 at 05:14 Kaiser, Matthew <mkai...@midwestern.edu<mailto:mkai...@midwestern.edu>> wrote: I see, got it! Thanks! Matthew Kaiser – IT Department Ext. 6138 From: Kaiser, Matthew Sent: Thursday, June 25, 2015 1:51 PM To: Andrew OBrien; Kaiser, Matthew Cc: embperl@perl.apache.org<mailto:embperl@perl.apache.org> Subject: RE: Processing user created html alongside epl html I’m looking at the documentation at http://www.embperl.org/embperl/pod/doc/doc13/HTML/Embperl.-page-3-.htm and i don’t see a way to use a string of raw html as an input to Execute. Do you have an example i can work from? Matthew Kaiser – IT Department Ext. 6138 From: Andrew OBrien [mailto:i.am.andr...@gmail.com] Sent: Thursday, June 25, 2015 1:09 PM To: Kaiser, Matthew Cc: embperl@perl.apache.org<mailto:embperl@perl.apache.org> Subject: Re: Processing user created html alongside epl html Unless I'm misunderstanding you could always call execute with the $user_html string as input: From memory Execute allows a scalar as input rather than a filename. Cheers, Andrew On 26 June 2015 at 01:55, Kaiser, Matthew <mkai...@midwestern.edu<mailto:mkai...@midwestern.edu>> wrote: Hi, all. I have a page that takes html created by users However, the embperl formdata structures don't seem to be aware of it. Given parameters like this: %fdat = { 'answer_1' => 'one' , 'answer_2' => 'two' } and @ffld = [ 'answer_1' , 'answer_2 ] My user generated html parameter: $user_html = "Answer2: <input id='answer_2' name='answer_2' type='text'>"; And my epl html contents is: <html><body><form> Answer1: <input id='answer_1' name='answer_1'><br> [+ $user_html +] </form></body></html> ---------------------------------- The result I will get is: {just pretend the brackets are textfields in html} Answer1: [ one ] Answer2: [ ] --------------------------------------------------------- I would like both text fields filled in with the form data, so clearly, the formdata processing must come after the embperl commands have executed, but that doesn't seem to be the case and i can't seem to find the appropriate options to direct Embperl to do so in this case. How do i get the user generated html to be processed along with the epl html, so the form data structures work upon all the html as intended? Could someone point me in the right direction, while I hunt through the documentation? Thanks Matthew E Kaiser IT Department Midwestern University - Downer's Grove Campus --------------------------------------------------------------------- To unsubscribe, e-mail: embperl-unsubscr...@perl.apache.org<mailto:embperl-unsubscr...@perl.apache.org> For additional commands, e-mail: embperl-h...@perl.apache.org<mailto:embperl-h...@perl.apache.org>
