You can edit out the <!-- with the following Perl line:

$newEntry =~ s/<\!--//g;

This assumes that the variable that contains the new guestbook entry is $newEntry. It eliminates all references to that.

Thanks so much. I hate to ask, but could you perhaps show me a way I can simply do a search and replace in the string to convert all <'s and >'s to &lt;'s and &gt;'s?

I know.. this would be better to post in a CGI section :) I will move it there

$newEntry =~ s/</\&lt\;/g;
$newEntry =~ s/>/\&gt\;/g;

Thanks so much. I assume arrays work the same, like below. I will find out though :) You have been a great help!

$form_data{'comments'} =~ s/</\&lt\;/g;
$form_data{'comments'} =~ s/>/\&gt\;/g;

That should work except that you described an associative array, better known as a hash, rather than a standard array.

A standard array is just a list, like $array = ('apple', 'banana', 'broccoli') but an associative array associates the item with some other variable, such as

$hash = (apple => fruit, banana => fruit, broccoli => vegetable);

An item in the list, or standard array, is given by $array[0] = 'apple' where the item in the hash is $hash{apple} = 'fruit'.

Aleister,

the comment tags are just the tip of the iceberg. The real problem is HTML+JavaScript. Everyone can inject any HTML and JavaScript code into your website. That is a real security issue.

There exist safe scripts that remove all HTML and script code from the entries.

NN

NameNick: But if I am stripping out <'s and >'s would it still be possible for anyone to paste html or javascript? since those are pretty important characters in the code.

diamondgrl: Well, I will test it out and see if it works like above. The data is actually being used like this:

print GUESTBOOK "$form_data{'comments'}\n";

so if I can't use that function the way it is now, maybe I could do something like this:

$temp_comments = $form_data{'comments'};
$temp_comments =~ s/</\&lt\;/g;
$temp_comments =~ s/>/\&gt\;/g;
print GUESTBOOK "$temp_comments\n";

There is also 'email' 'url' and 'name' but it is simply added in the same way. Thanks.

Have you thought about swapping your current Guestbook script for something better-written, rather than trying to patch up it's deficiencies?

If all you want is a very simple Perl/CGI guestbook, I would recommend the NMS guestbook script (and the other NMS scripts too):

[nms-cgi.sourceforge.net...]

$newEntry =~ s/>/\&gt\;/g;

There is no need for this as > will be ignored by browser unless there was < before it. Better change & to &amp; to prevent entities from being used.

LordMajestic: Good thinking.. Does this look right? :)

$temp_comments =~ s/&/\&amp\;/g;

encyclo: It seems it's not really going to take much to patch this. Just a matter of checking for a few characters, and switching them out. At least now I know how to do it, and can repeat it in the future if I need to. It actually took quite a while before I found a guestbook script that worked just like I wanted to :) Most others come up with their own guestbook page, rather than a simple structure for inclusion into the pre-existing page.

Yeah I tested code by making quick Perl script. Preventing users from being able to post HTML and entities is a good first step to security of anything that accepts and publishes posts from the Net.