untainting regex inputby rastoboy (Monk)
|on Aug 23, 2013 at 02:28 UTC||Need Help??|
rastoboy has asked for the
wisdom of the Perl Monks concerning the following question:
I'm writing a simple text search CGI script. The user types in a search term, and I perl grep through a datastructure of the text and return data.
At the moment I untaint the user input by allowing only "word like" characters and such. However, I'd like to allow the users to use regular expressions in their searches. However, I am not enough of a regex master to know what to allow/disallow. I've been told that you can execute code in a regex, so that makes me nervous about accepting any regex.
Is there a tool or any hints as to how I could safely allow this? Any input would be greatly appreciated!