[Dbix-class] Re: [Catalyst] untainting utf8 text for db

Mesdaq, Ali amesdaq at websense.com
Fri Jun 6 18:46:11 BST 2008

No escape sequence should get through if you reject any characters
outside of the allowed characters. For example you could just reject the
input and prompt for another input if this regex matches
(?:[^a-zA-Z0-9 _]+)
So escape sequences shouldn't affect this test.

Security Researcher II
Websense Security Labs

-----Original Message-----
From: Daniel McBrearty [mailto:danielmcbrearty at gmail.com] 
Sent: Thursday, June 05, 2008 11:07 PM
To: The elegant MVC web framework
Cc: DBIx::Class user and developer list
Subject: [Dbix-class] Re: [Catalyst] untainting utf8 text for db

Thanks for the suggestions. Indeed, specifying a list of chars which is
clean (e.g. [a-zA-Z0-9_] for a username in English) is optimum, and I
prefer that. But when you are working with fully multilingual material,
this becomes pretty much impossible. As the site in question is all
about language learning and could eventually handle any language, that
is the issue.

Rejecting some of the suspicious chars you suggest is something I will
do - but even that is not foolproof as there are various ways (more than
one, IIRC, but I'm not sure what they all are) of using escape sequences
to get through.

Of the list you suggest, I'd need to keep (, ), ? - all the rest I could
kill quite happily.

Again, thanks for the input. I'm going to forward this to the
DBIx::Class list (as that is probably where it should have gone in the
first place).

List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class
IRC: irc.perl.org#dbix-class
SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/
Searchable Archive:


 Protected by Websense Messaging Security -- www.websense.com 

More information about the Catalyst mailing list