note BrowserUk <blockquote><i> My issue is that Perl tries to "guess" when I have looked at the the input ("gee, the programmer captured some match groups from a regexp match on that input, so it MUST mean that he sanitized it"), instead of letting me tell it when I think I have looked at it closely enough (for example, but invoking a method untainted() on a variable). </i></blockquote> <p>Perl isn't "guessing". It is following the clearly laid out rule for 'detainting'. That is: <blockquote><i> Perl presumes that if you reference a substring using $1, $2, etc., that you knew what you were doing when you wrote the pattern. </i></blockquote> <p>And it goes on to say: <blockquote><i> That means using a bit of thought--don't just blindly untaint anything, or you defeat the entire mechanism. </i></blockquote> <p>That may not be how <i>you think it should work</i>; but it is the way it <b>does work</b>. For better or worse. <P>You can try putting forwards your arguments for a different -- presumably better in your eyes -- way of working; but given how long the current mechanism has been in place; that the mechanism is -- has to be -- deeply embedded within the Perl core; and the historic convention that says Perl does not break backward compatibility; and the net result is that you will have to learn to live with what is; because it is very unlikely to change at this point in time. <div class="pmsig"><div class="pmsig-171588"> <hr /> <font size=1 > <div>With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'</div> <div>Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.</div> <div>"Science is about questioning the status quo. Questioning authority". </div> <div>In the absence of evidence, opinion is indistinguishable from prejudice. <p align=right> [http://thebottomline.cpaaustralia.com.au/|RIP Neil Armstrong]</p></div> </font> </div></div> 1001997 1002102