On Tuesday 24 June 2008 02:08:00 Paul Fenwick wrote: > As the user of a module, it's possible for me to pass in tainted data. The > module doesn't know from where it's been sourced. However, unless the > *intent* of the module is to untaint this data, anything derived from that > data should probably remain tainted. Likewise, unless it's the purpose of > the module is untaint incoming data, anything the module reads from an > external source should probably also remain tainted.
That's my point. Most of the uses of regexes in most of the distributions I've written never act on data that could possibly be tainted (unless you somehow named subroutines or classes with tainted strings, in which case you have worse things to worry about than my code). -- c
