|
Kaye and Geoff's web page documentation
Resub: Perl package to translate escaped characters
Packages are included in a Perl program with a 'require' operator. This one is designed to substitute escaped characters sent from a web browser. It is also a convenient place to include the suppression (for security reasons) of the backquote character.
<![CDATA[package Re_sub;
#
# subroutine to do escaped character re-substitution
# the input string is passed as the only parameter
# the returned value is the input string with escaped values substituted
#
sub main'resub
{
local ($s) = @_;
$s =~ s/\+/ /g;
if (index($s,"%") >= 0)
{
$s =~ s/%0D%0A/\n/g;
$s =~ s/%20/ /g;
$s =~ s/%21/!/g;
$s =~ s/%22/"/g;
$s =~ s/%23/\#/g;
$s =~ s/%24/\$/g;
$s =~ s/%26/\&/g;
$s =~ s/%27/'/g;
$s =~ s/%28/\(/g;
$s =~ s/%29/\)/g;
$s =~ s/%2B/\+/g;
$s =~ s/%2C/,/g;
$s =~ s/%2D/-/g;
$s =~ s/%2F/\//g;
$s =~ s/%3A/:/g;
$s =~ s/%3B/;/g;
$s =~ s/%3C/\</g;
$s =~ s/%3D/=/g;
$s =~ s/%3E/\>/g;
$s =~ s/%3F/?/g;
$s =~ s/%40/\@/g;
$s =~ s/%5B/[/g;
$s =~ s/%5C/\\/g;
$s =~ s/%5D/]/g;
$s =~ s/%5E/\^/g;
$s =~ s/%60/\`/g; #backquote: see security note below
$s =~ s/%7B/\{/g;
$s =~ s/%7C/\|/g;
$s =~ s/%7D/\}/g;
$s =~ s/%7E/\~/g;
#
# change any escaped % character back last
#
$s =~ s/%25/\%/g;
}
#
# security: suppress backquote so that input cannot invoke a Unix process
# the $s at the end is to ensure that this is the return value
#
$s =~ s/\`/\'/g;
$s;
}
#
# ensure that package returns true
#
1;]]>
|
