Re: Question about CGI.pm

On 3/25/08, LesleyB <lesley.binks@xxxxxxxxxxxxxx> wrote:

I'm using the OO form in case that makes any difference. Assuming a
'my $qry = new CGI;'

The first sentence
"By default, all HTML that is emitted by the form-generating functions
is passed through a function called escapeHTML(): "
I'm slightly confused by the term 'form-generating' ... does this
specifically mean functions such as start_form, checkbox_group, submit
and end_form and to the exclusion of functions such as $qry->p(...) ?
Or does it include everything uttered between $qry->start_form and
$qry->end_form which might include a $qry->div() or $qry->p() ?

The statement later in "The automatic escaping does not apply to other
shortcuts, such as h1(). You should call escapeHTML() yourself on
untrusted data in order to protect your pages against nasty tricks
that people may enter into guestbooks, etc.." seems to indicate that
escaping does not happen and I am tempted to consider "form-generating
functions" as those that generate form elements such as radio boxes,
pop-up lists, submit buttons and so on.

"Use the source, Luke".

Looking at the source code of CGI.pm indicates that start_html()
escapes the "title" attribute, but nothing else. start_form(),
textarea(), textfield(), button(), submit(), reset(), defaults(),
checkbox(), checkbox_group(), popup_menu(), optgroup(),
scrolling_list(), hidden(), and image_button() all escape all the
interesting parameters. Nothing else calls escapeHTML.

--
Mark Wagner
.