Hello,
this little patch will reveal the parameter name of the tainted value in
some cases. I haven't figured out how to do it in the other cases, I don't
think the name of the parameter name is preserved in the data structure.
Cheers,
-Sven
diff -u HTML-Template-2.9/Template.pm HTML-Template-2.9.001/Template.pm
--- HTML-Template-2.9/Template.pm 2007-01-29 20:32:21.000000000 +0100
+++ HTML-Template-2.9.001/Template.pm 2007-09-06 09:58:16.000000000 +0200
@@ -2567,6 +2567,9 @@
} else {
(ref($param_map->{$param}) eq 'HTML::Template::VAR') or
croak("HTML::Template::param() : attempt to set parameter '$param'
with a scalar - parameter is not a TMPL_VAR!");
+ if ($options->{force_untaint} > 1 && tainted($value)) {
+ croak("HTML::Template::param() : attempt to set parameter '$param'
with a tainted value!")
+ }
${$param_map->{$param}} = $value;
}
}
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Html-template-users mailing list
Html-template-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/html-template-users
