New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CGI.pm shares the param namespace with the attribute namespace #6867
Comments
From perl-5.8.0@ton.iguana.beCreated by perl-5.8.0@ton.iguana.beCGI.pm uses the object hash to store the parameter name/value pairs. In particular, you can set things like "dontescape". On at least one public website (identity withheld) running the CGI.pm http://site.xxx.yyy/?field=qwe%22%3EX%3Cblink%3EXX%3Cx+x%3D%22&dontescape=1 where the "addr" parameter normally ends up in a input field with proper Same idea from the commandline: which outputs: <input type="text" name="qwe">X<blink>XX<x x="" /> Or: perl -MCGI=:standard -wle 'print escapeHTML(param("arg"));' arg=%3Cxss+here%3E\&dontescape=1 outputting: Some other internal attributes look usable too. I think it's a fundamental mistake to use the object hash itself as the The most recent CGI.pm (3.00) seems to have renamed dontescape to escape Here's a "crash the CGI" example: Perl Info
|
From lstein@cshl.eduFixed in 3.38. Sorry for the delay. |
The RT System itself - Status changed from 'new' to 'open' |
From p5p@spam.wizbit.beThis is resolved in version 3.38 of CGI.pm. |
p5p@spam.wizbit.be - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#24294 (status was 'resolved')
Searchable as RT24294$
The text was updated successfully, but these errors were encountered: