On Wed, 08 Sep 2004 00:43:44 +0200, Gunnar Hjalmarsson <[EMAIL PROTECTED]> wrote: > Chris Welch wrote: > > I have a form and someone submits weird stuff that probably > > shouldn't be in there (but you never know.) This has to be writted > > to a DBM database/ filehandle. > > > > The weird stuff needs to be displayed in a HTML page when the DB > > entry or file is read, however, to ensure that it is not malicious > > I want to change it into an entity that's not going to do anyone > > any harm, so I use HTML::Entities. > > So, the purpose with encoding "stuff" is to prevent that it causes bad > things when displayed as HTML. Is that correct? > > In that case, the critical characters to encode are '<' and '>', but > normally you also encode '&' and '"' (and maybe "'"). > > > However, if there are things in there that HTML::Entities *can't* > > convert (doesn't it only deal with characters that have a named > > entity like & rather than ones that just have numbered > > entities?) then I want to throw an error. > > What HTML::Entities is able to convert depends on which version you > are using, among other things. > > But are you saying that you want to try to HTML encode every single > character for security reasons before display? Personally I have never > heard of such a need. Sure, people may submit odd characters that may > not become properly rendered, but then we are no longer talking about > security, are we? > > > Hence my list of acceptable characters *plus* entities being > > allowed. > > Then I think I understand what you mean. At the same time I believe > that what you want to do isn't necessary. > > In my world, you can either store the raw "stuff" in the DBM file, and > encode the HTML critical characters each time you read it for display, > or you can encode the HTML critical characters before storing "stuff", > so that the stored data come (partially) HTML encoded and ready for > display whenever you read it. > > Let me know if you think I have misunderstood anything.
You're going to regret saying that :) But I thought the deal with writing to external files and such (remember some things will be written to flat files as well as DBM files) is that it is a security issue if no checking is done for malicious script - surely if I convert these characters to entities then it solves both the security issue AND the displaying in a web page issue? That being the case, surely it would be safer to convert things to entities on the off chance of something being a bit dodgy... -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
