That's the simple nature of the Perl script that processes the post. It is set to url-decode the posted data. Thus, %40 becomes @, etc.

Still, it shouldn't be too hard to convert the pipe separately before the rest.

This would be a great advantage. I don't know how many times I've had something break, either on my side from copied code, or in code I wrote that was reported by someone as not working, and only a good deal later realized, 'it's them pipes'! (just had one again so I post this here - sorry if thread is too old)

Security. You don't want unbroken pipes going through the system.

Jakes got it - that is the reason - a pipe character will never be stored in the db here. That alone eliminates tens of thousands of potential hacks that hit other bbs systems.

As I'm sure Brett can attest to, consider that writing something to parse input from untrusted users and remove any nasties while still allowing markup is extremely challenging; it is very easy to make a mistake.

just fyi: the pipe character is an extremely powerful command line operator under Unix. It is one of the top all time ways to hack web based Unix apps.

>> It is one of the top all time ways to hack web based Unix apps.

Brett, your code is showing its age. Please don't tell me your search is widget_web_app ¦ grep $query ¦ reformat_web_app (err .. u know what I mean... )

Thanks for the info guys. Yes, indeed, sanitizing user input can be hell, if you have to make special allowances for certain things but also need to stymie hack attacks.

Just a thought, but maybe in a future edition of the WebmasterWorld bbcode, you could have [pipe], and convert all pipes to [pipe], and output [pipe] with

|

? Or maybe convert something like þ to this?