http://www.perlmonks.org?node_id=1081013

Digioso has asked for the wisdom of the Perl Monks concerning the following question:

Heya Monks,

this may be just a stupid question but I couldn't find any solution for it so far... Basically I have a HTML form with a textarea you can copy anything you like into. The text is transferred via post method and then I want it to be displayed. So far so easy... But now I copy for example something like a whole Perl Script into the textarea. After clicking on submit Perl now starts to execute the contents of the textarea. My question is: How can I just display the text without Perl trying to execute it? Basically... how did they do it on this very website here with the \<code\> tags?
Just try using the sample script and copy the source code of the sample script into the textarea field in your browser.

Sample script: 
#!/usr/bin/perl -w
use warnings;
use strict;
use CGI;
use CGI::Carp qw/fatalsToBrowser warningsToBrowser/;

my $cgi = CGI->new();
print   $cgi->header, # create the HTTP header
        $cgi->start_html(-title=>"Test",
        -author=>'webmaster at digioso.org');

if($ENV{'REQUEST_METHOD'} eq 'GET')
{
    print qq{<form action = "textareatest.pl" name = "form" method = "
+post">
                <textarea name = "text" cols = "50" rows = "10"></text
+area><br/>
                <input type = "submit"/>
             </form>};
}
elsif($ENV{'REQUEST_METHOD'} eq 'POST')
{
    my $text = $cgi->param('text');
    print qq{$text<br/>};
}
else
{
    print "Unknown request method!<br/>";
}

print "</body></html>";
exit 0;

[download]

Replies are listed 'Best First'.
Re: [Perl-CGI] Print non-interpolated string
by choroba (Cardinal) on Apr 03, 2014 at 22:37 UTC
    After clicking on submit Perl now starts to execute the contents of the textarea
    I cannot reproduce the problem. If I run your script, HTML in the textarea is interpreted by the browser, but Perl commands are not run. To prevent the contents from evaluation, just replace all & to &amp;, and all < to &lt;. 
        $text =~ s/&/&amp;/g;
    $text =~ s/</&lt;/g;

    [download]
    لսႽ† ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ
[reply]
[d/l]
[select]
      Thanks for the links all. I'll check them out.
      For now I have uploaded my sample script here: http://digioso.org/textareatest.pl
      Weird thing that you cannot reproduce it. Possibly could have to do with the webserver settings or the installed Perl version then.
      Neither are under my control unfortunately since I'm on a large webhoster.
[reply]
Re: [Perl-CGI] Print non-interpolated string
by graff (Chancellor) on Apr 03, 2014 at 23:45 UTC
    If you want to preserve white-space patterns (e.g. line breaks, line-initial spaces, etc) when the browser displays the submitted text, you should apply the conversions described by choroba above, and then 
    print qq{<pre>\n$text\n</pre><br/>};

    [download]
[reply]
[d/l]
      Thanks for this. :)
      It works with chorobas snippet and yours.
      I tried the escapeHTML function but Perl said that it couldn't find this one. According to the version 3.65 manual escapeHTML is being executed automatically.
      My webserver has CGI.pm version 3.42 installed.
      So my guess is that escapeHTML is a feature that was introduced in a later version.
[reply]

        I tried the escapeHTML function but Perl said that it couldn't find this one.

        If you want to use the functional interface, either import the function, or use its fully qualified name (full name)

        According to the version 3.65 manual escapeHTML is being executed automatically.

        Well, you didn't understand what you read -- you're not using any of the form generators which would do this automatically

        So my guess is that escapeHTML is a feature that was introduced in a later version.

        Its been there for at least 20 years

[reply]
Re: [Perl-CGI] Print non-interpolated string
by Anonymous Monk on Apr 03, 2014 at 22:47 UTC
    See escapeHTML in CGI documentation, also see DebugCGI
[reply]

Back to Seekers of Perl Wisdom