[ic] Search parameters in tutorial

Mike Heins heins@akopia.com
Wed, 31 Jan 2001 23:57:27 -0500

Quoting msquared (msquared@digitalwizards.com.au):
> As a side issue, it seems that we can add interchange tags to user
> comments on the tutorial.  You'll note that I made three tries at
> indicating some interchange tags in the user comments before I finally got
> it right.  :-)
> Is that a potential security risk?

Yes, and thank you for pointing it out. There is always a risk when you
display user data that gets put directly in a database. In this case,
the problem was supposed to be prevented by:

	@scrub = split /[\s,\0]+/, $CGI->{mv_data_fields};

	for( @scrub ) {
		$CGI->{$_} =~ s/\[/[/g;

Recently one of our people used the UI page editor to edit the page and
it became after the entities were translated on the way in:

	for( @scrub ) {
	    $CGI->{$_} =~ s/\[/[/g;

Oops. The UI page editor is a no-no right now for embedded Perl because
of this -- I will see if I can figure out a way to deal with this in
the future.

One thing that comes to mind is a directive like NoSearch which specifies
tables which should be allowed to contain square brackets (things that might
contain JavaScript, etc.) All others would not be allowed to have
them. Then you filter the resulting data on output.

Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>

Function in chaos, finish in style. -- Unknown