Chris Welch wrote:
Right the deal is thus - if I am getting the wrong end of the
stick, feel free to beat me over the head with said stick.
Okay, I'll see what I can do. :)
I have a form and someone submits weird stuff that probably
shouldn't be in there (but you never know.) This has to be writted
to a DBM database/ filehandle.
The weird stuff needs to be displayed in a HTML page when the DB
entry or file is read, however, to ensure that it is not malicious
I want to change it into an entity that's not going to do anyone
any harm, so I use HTML::Entities.
So, the purpose with encoding "stuff" is to prevent that it causes bad
things when displayed as HTML. Is that correct?
In that case, the critical characters to encode are '<' and '>', but
normally you also encode '&' and '"' (and maybe "'").
However, if there are things in there that HTML::Entities *can't*
convert (doesn't it only deal with characters that have a named
entity like & rather than ones that just have numbered
entities?) then I want to throw an error.
What HTML::Entities is able to convert depends on which version you
are using, among other things.
But are you saying that you want to try to HTML encode every single
character for security reasons before display? Personally I have never
heard of such a need. Sure, people may submit odd characters that may
not become properly rendered, but then we are no longer talking about
security, are we?
Hence my list of acceptable characters *plus* entities being
allowed.
Then I think I understand what you mean. At the same time I believe
that what you want to do isn't necessary.
In my world, you can either store the raw "stuff" in the DBM file, and
encode the HTML critical characters each time you read it for display,
or you can encode the HTML critical characters before storing "stuff",
so that the stored data come (partially) HTML encoded and ready for
display whenever you read it.
Let me know if you think I have misunderstood anything.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
