Hi everyone, I have a question about the security of Links 2.0. My knowledge is very basic so bear with me.

According to William Bontrager, Editor of Willmaster Possibilities placing a javascript code into a form could read certain files or launch programs that could cause havoc on a server.

If you enter the following code into your search form:

<script>alert('WARNING!')</script>

and it comes back with a Warning dialog box then the script is not safe. Which does happen with search.cgi.

He suggests placing the following code into every perl program:

$InputFromTheForm =~ s/(\<.*?)(script)(.*?\>)/$1$3/gis;

Which then eliminates the word <script> from being entered into a form and eliminates a possible attack by a hacker using javascript.

Is there any reason not to add this perl code snippet into any of the scripts that have input forms? Are there any compatibility issues? Any security experts agree or disagree with this information?

Thanks

John Hesch

Source: WillMaster Possibilities #49, "Perl CGI Security Checks, Part I"

Hi, is this meant seriously?
Of course you'll get an alert box if you instruct JavaScript to show one...
And as far as I know you cannot execute any file with JavaScript, since you simply have no possibility to address any files... (except cookies...)

Denis

Like I said, my knowledge is limited so I wanted to see if this info was accurate. I think the idea of the <script> test is to see if the perl script form already eliminates any reference to <script>. Yes, it is obvious that an warning will show up without the protective perl snippet.

John

Perhaps this is related to the security bug reported by Eliot in the thread located at:
http://gossamer-threads.com/...ew=&sb=&vc=1

- Bobsie
bobsie@orphanage.com
http://goodstuff.orphanage.com/

IMHO...the security bug I posted is non-related to this Thread.



Regards,

Eliot Lee