From: Jonathan S. <gel...@ge...> - 2001-11-26 22:44:18
|
FormMail.pl and wwwboard.pl are the real bogies as they are : A) used more than most of the other programs B) apparently more often attacked by crackers and spammers I address FormMail.pl here as the other one makes me brane hert .. A lot of stuff can come from user supplied input via the form: my @fields = qw( recipient subject email realname redirect bgcolor background link_color vlink_color text_color alink_color title sort print_config required env_report return_link_title return_link_url print_blank_fields missing_fields_redirect ); Yes, most of this is escaped and so forth but I dunno I get a worry that maybe this is still a large bunch of stuff to be sure that it is checked .. Firstly I am going to provide a means for the end user to override the use of these in the code (in a backward compatible way), secondly are any of the coverage guys on this list (Pony Man, Robin, Anyone ?) - it might be useful to be able to track the use of variables with a separate tool that can tell if (E.G.) escape_html() has been called on a variable before it is interpolated into a string that is going to printed ? Yeah sure I could reconstruct it from the proposed magic for non-Y2K compliant uses of (localtime)[5] but I can't be arsed ... it gives me the CvGv's ;-} On the whole though guys it's looking great ... /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |