I understand the need to misinform the input from an HTML form, but when I cleared the file upload field in my last module, the file started to fail. Is it important to sanitize all the input, right? Even a special field for downloading files?
The output of my form looks something like this:
use CGI;
my $cgi = new CGI;
print $cgi->header();
print $cgi->start_form();
print $cgi->filefield(-name=>'uploaded_file',
-size=>50,
-maxlength=>80);
print $cgi->submit(-name=>'continue',
-value=>'Continue');
print $cgi->end_form();
And my disinfection code looks something like this (this is actually earlier in the same module as above):
use HTML::Entities
my $OK_CHARS => 'a-zA-Z0-9 .,-_';
foreach my $param_name ( $cgi->param() ) {
my $original_content = $cgi->param($param_name);
my $replaced_content = HTML::Entities::decode( $original_content );
$replaced_content =~ s/[^$OK_CHARS]//go;
$cgi->param( $param_name, $replaced_content );
}
When I recently added the sanitation code, the file download started with a failure. Now the file descriptor returns undefined on this line:
my $uploadedFilehandle = $cgi->upload('uploaded_file');
- ? -, . 'o' regex, HTML:: Entities.