Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k & phranque

Message Too Old, No Replies

Perl Security related Filter - Lines

I have a problem



8:38 pm on Sep 16, 2008 (gmt 0)

5+ Year Member

I use Perl Script Source to create Online Auction Scripts. But, after looking for a long time, one of the very last Secrets (to me) are some lines security related Script Lines like the ones below:

$form{'TITLE'} =~ s/\</\&lt\;/g;
$form{'TITLE'} =~ s/\>/\&gt\;/g;
$form{'TITLE'} =~ s/[\"\'\}\{\)\(\+]//g;
$form{'TITLE'} =~ s/<!(?:--[\s\S]*?--\s*)?>\s*//g;
$form{'TITLE'} =~ s/[\~\^]//g;
$form{'TITLE'} =~ s/~!/ ~!/g;
$form{'TITLE'} =~ s/<*(javascript)[^>]+>//gi;
$form{'TITLE'} =~ s/(<[\s\/]*)(script\b[^>]*>)/$1x$2/gi;
$form{'TITLE'} =~ s/<*(iframe)[^>]+>//gi;
$form{'TITLE'} =~ s/<*(script)[^>]+>//gi;

I know what they (are supposed to) do, and I know what the meaning of some lines, like the ones here, is:
$form{'TITLE'} =~ s/\</\&lt\;/g;
$form{'TITLE'} =~ s/\>/\&gt\;/g;

something like:

if a=< them save this as &lt;
if a=> then save this &gt;
but I never found a Webpage anywhere explaining in detail everyone of all those "s/[\"\'\}\{\)\(\+]//g;---e.t.c." exact functions.

I care very much about security, and if I find some place where I can learn more about this, I would be very happy. I am a Swiss, so, my script-technical english is rather limited. This may make it a little harder to really understand everything written on the Web, especially when it comes to zbderstanding lines like: s/<!(?:--[\s\S]*?--\s*)?>\s*//g;

Thank you very much for your help.


[edited by: phranque at 11:25 pm (utc) on Sep. 19, 2008]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]


11:25 pm on Sep 16, 2008 (gmt 0)

5+ Year Member

What you need to know in order to understand those lines, is to read about regular expressions. There are no tutorials that are going to explain exactly what those particular regexps do. You need to know what all the symbols inside the regexps mean in order to understand what exactly they are doing. Some of them are not well written, like this one:

$form{'TITLE'} =~ s/[\"\'\}\{\)\(\+]//g;

there is no need for all the backslashes:

$form{'TITLE'} =~ s/["'}{)(+]//g;

what it does is removes all the characters inside the square brackets [] from $form{'TITLE'}. Its better written like so:

$form{'TITLE'} =~ tr/"'}{)(+//d;

When it comes to just removing some characters from a string tr/// is very efficient.


4:10 pm on Sep 17, 2008 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Perl Regular Expressions [search.cpan.org]. Stuff still drives me nuts sometimes. :-)


6:42 pm on Sep 17, 2008 (gmt 0)

5+ Year Member

@ rocknbil

Now this is what I was looking for! I am sure I will find a lot of answers and even more input my make my thing even more secure than it is already.

Greast Place here. Great Peoples. Thank you!


[edited by: phranque at 5:55 am (utc) on Sep. 21, 2008]
[edit reason] cleaning up [/edit]


5:56 am on Sep 21, 2008 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

welcome to WebmasterWorld [webmasterworld.com], Auctioneer!

Featured Threads

Hot Threads This Week

Hot Threads This Month