Are there any characters or combination of characters that could be input into a html form to hack, cause server damage or access restricted data??
What I'm trying to determine is whether I should create regular expressions to limit what can and can't be input into my form fields?
Any advise would be much appreciated.
Thank you.
Simon.

This is a good CGI course in general, but the following specific page may help you:

http://www.easystreet.com/...r/lesson_four_2.html

- wil

As Wil pointed out, there are some dangerous codes, including javascript codes that could "disable" your application in terms of how the info is outputted.

In general, HTML and Javascript codes should not be allowed in form fields.
========================================
Buh Bye!

Cheers,
Me

The specific HTML tags that let malicious or disruptive code in, are SCRIPT, FORM, OBJECT, EMBED, and APPLET. FRAMESET and PLAINTEXT can mess up your intended output as well. Here's an article you might find useful:

http://www.cert.org/...ries/CA-2000-02.html

You should also filter out any tag which contains a space followed by "on" - this gets rid of all the OnMouseOver, OnLoad, OnBlur events, etc, that your users may not appreciate.

Yes if your script is insecure.

To reduce the chance of such problems use CGI.pm for form parsing and whilst developing turn taint checking on with the -T switch.

Using regex's for user input is always good.

in my latest endeavors i've found that writing ones own libraries if you will for simple functions such as form parsing are handy in that you get a sense of complete and total control over what's going on. likewise i've been adding to my form parsing lib.
bassically since it's designed for use in any and all applications it's got two parts.
first part parses for data and immediately replaces the above mentioned code and turns javascript, vbscript, etc. into comments and stores them in a file for checking out later.

the second converts what i like to call SML (simple markeup language) into html.
it doesn't allow anything but server-side variables in it's translations and wont link to files in it's "@no_link" array up in the header.

<page:perl_stuffs>Perl Things and Stuff</page>

creates an <a href> with a description and everything formatted with a font and css tag to a page located in a specified directory or cgi query. all control is taken from the user.

bottom line, if it's questionable, tr/$string//d; can't hurt :)