perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kaiser, Matthew" <MKai...@midwestern.edu>
Subject RE: Processing user created html alongside epl html
Date Wed, 01 Jul 2015 12:03:48 GMT
Thanks for the warning!

My users do, in fact, need security clearance to access this module.

Matthew Kaiser – IT Department
Ext. 6138

From: Angus Lees [mailto:gus@inodes.org]
Sent: Tuesday, June 30, 2015 9:31 PM
To: Kaiser, Matthew; Andrew OBrien
Cc: embperl@perl.apache.org
Subject: Re: Processing user created html alongside epl html

Just a warning: You're now executing code provided by users on your server.  If you don't
trust these users, you'll want to restrict what opcodes are available to them: http://www.embperl.org/embperl/pod/doc/doc13/HTML/Embperl.-page-9-.htm

A good test case might be to see what happens when the user provides some embperl mixed with
their HTML:  "<p>This is my DoS attack: [- while (1) {} -]"

 - Gus

On Fri, 26 Jun 2015 at 05:14 Kaiser, Matthew <MKaiser@midwestern.edu<mailto:MKaiser@midwestern.edu>>
wrote:
I see, got it! Thanks!

Matthew Kaiser – IT Department
Ext. 6138

From: Kaiser, Matthew
Sent: Thursday, June 25, 2015 1:51 PM
To: Andrew OBrien; Kaiser, Matthew
Cc: embperl@perl.apache.org<mailto:embperl@perl.apache.org>
Subject: RE: Processing user created html alongside epl html

I’m looking at the documentation at http://www.embperl.org/embperl/pod/doc/doc13/HTML/Embperl.-page-3-.htm
and i don’t see a way to use a string of raw html as an input to Execute.

Do you have an example i can work from?

Matthew Kaiser – IT Department
Ext. 6138

From: Andrew OBrien [mailto:i.am.andrewo@gmail.com]
Sent: Thursday, June 25, 2015 1:09 PM
To: Kaiser, Matthew
Cc: embperl@perl.apache.org<mailto:embperl@perl.apache.org>
Subject: Re: Processing user created html alongside epl html

Unless I'm misunderstanding you could always call execute with the $user_html string as input:

From memory Execute allows a scalar as input rather than a filename.

Cheers,

Andrew


On 26 June 2015 at 01:55, Kaiser, Matthew <MKaiser@midwestern.edu<mailto:MKaiser@midwestern.edu>>
wrote:
Hi, all.

I have a page that takes html created by users

However, the embperl formdata structures don't seem to be aware of it.

Given parameters like this:

%fdat = {
       'answer_1' => 'one'
       , 'answer_2' => 'two'
       }

and

@ffld = [
       'answer_1'
       , 'answer_2
       ]

My user generated html parameter:

$user_html = "Answer2: <input id='answer_2' name='answer_2' type='text'>";

And my epl html contents is:

<html><body><form>
Answer1: <input id='answer_1' name='answer_1'><br>
[+ $user_html +]
</form></body></html>

----------------------------------

The result I will get is:     {just pretend the brackets are textfields in html}

Answer1: [ one ]
Answer2: [        ]

---------------------------------------------------------

I would like both text fields filled in with the form data, so clearly, the formdata processing
must come after the embperl commands have executed, but that doesn't seem to be the case and
i can't seem to find the appropriate options to direct Embperl to do so in this case.

How do i get the user generated html to be processed along with the epl html, so the form
data structures work upon all the html as intended?
Could someone point me in the right direction, while I hunt through the documentation?

Thanks

Matthew E Kaiser
IT Department
Midwestern University - Downer's Grove Campus


---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org<mailto:embperl-unsubscribe@perl.apache.org>
For additional commands, e-mail: embperl-help@perl.apache.org<mailto:embperl-help@perl.apache.org>

Mime
View raw message