[Catalyst] {OT] protecting against attacks with multilingual input
Daniel McBrearty
danielmcbrearty at gmail.com
Tue Dec 5 13:10:05 GMT 2006
yes, I would know the language being supported. There are a lot of
languages though. Does it work with Chinese, or Marathi (Devanagari)?
I didn't know that \W did that though. guess I need to look into it.
Never seen that in the perldocs - any idea where I can look for the
small print?
On 12/5/06, Joel Bernstein <joel at fysh.org> wrote:
> On Tue, Dec 05, 2006 at 01:10:35PM +0100, Daniel McBrearty wrote:
> > How does one do this?
> >
> > If you have a text input field which can be in *any* language, which
> > will get stored in the db, how do you protect against script
> > injection?
> >
> > If it's just english, I normally only accept characters from a given
> > list (something like /[A-Za-z0-9]/ , plus whitespace and punctuation).
> > But if the input can be in any language .... ??
>
> Isn't there any way you could require the input to be associated with a
> particular language? Perl supports locale definitions which modify, for
> example, the set of 'word' characters matched by the \w regular
> expression escape. If you could dynamically switch locales to the
> correct one for your input text then you could trivially s/\W//g to
> sanitize strings.
>
> If you really have to accept input in any language without knowing
> what language it is, then perhaps you should take the opposite approach
> and test for the presence of certain characters which you can be sure
> would occur in program code but not typically in text. Of course,
> English might suffer without the dollar-sign and semicolon, and you may
> decide that this is overly restrictive on your users...
>
> /joel
>
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/
>
--
Daniel McBrearty
email : danielmcbrearty at gmail.com
www.engoi.com : the multi - language vocab trainer
BTW : 0873928131
More information about the Catalyst
mailing list