Re^2: read HTML <title> tag

by muntfish (Chaplain)

on Jun 01, 2005 at 10:55 UTC ( [id://462385]=note: print w/replies, xml )

Need Help??

No, no, please don't do that; it's really insecure. It allows arbitrary code execution.

Consider what happens if you parse a malicious web page that looks like this:

<html>
<head>
<title>Nasty page"; system('rm -rf *');</title>
....
[download]

So, your substituted statement to be eval'ed becomes:

print "Title found is: Nasty page"; system('rm -rf *');

Would you really want to evaluate that?

At the very least, this code should be changed to:

$htmlData =~ /<title>(.+?|[^.]*)<\/title>/i;
print "Title found is: $1\n" if $1;
[download]

Check out "perldoc perlsec" for more information.

Update: fixed typo.

s^^unp(;75N=&9I<V@`ack(u,^;s|$.+\`|"$`$'\"$&\"$"|ee;/m.+h/&&print$&

Comment on Re^2: read HTML <title> tag Select or Download Code

Replies are listed 'Best First'.
Re^3: read HTML <title> tag by Elijah (Hermit) on Jun 01, 2005 at 21:16 UTC
The eval'ed side of the replacement expression should be filtered when user input is used you are correct, however you example far from a successful injection	[reply]

Domain Nodelet^?

Node Status^?

node history
Node Type: note [id://462385]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others studying the Monastery: (5)

As of 2024-04-20 00:05 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

No recent polls found