On Tuesday 02 Feb 2010 15:20:16 Erez Schatz wrote:
On 2 February 2010 15:06, Shlomi Fish wrote:
Are you physically unable to say anything in a social manner?
I apologise for writing my posts in a rude manner. See below for my response.
my %hash = (3 => <<"EOF");
<!--- Insert nasty JS here --->
<img src="spammer stuff."...
This is called a cross-site scripting attack (http://en.wikipedia.org/wiki/Cross-site_scripting
) and is very serious.
If someone accessed my server, and rewrote my CGI script, I probably
don't need to worry about cross-side scripting attacks. As it is, I
specifically mentioned that this can be used to pass variables from
Perl to the html document. For the other way, I asked for the OP to
supply us with more information.
You're right that in this case one will have bigger problems. However, telling
beginners that they should simply interpolate variables into the HTML may lead
them into thinking this is always the right thing to do, including in cases
where it is a function of user-input. And then you have thousands of scripts
written by beginners with XSS vulnerabilities.
I believe prevention is better than the cure and that we should instruct
newcomers on the proper way to write safe Perl code. Here are a few resources
Injection and Its Prevention".
No need to plead, and even so, there are other ways of passing data to
however, this is a beginner-level plain CGI question,
which is a few levels lower than the point you are trying to make.
It is still instructive to instruct beginners on the dangers of code/markup