CGI.pm 2.99 startform using CGI::Util escape() and other things

CGI.pm 2.99 startform using CGI::Util escape() and other things

Post by slgra » Tue, 12 Aug 2003 22:29:39


The Systems people upgraded to CGI.pm 2.99 on my development web
server.


Code ----------------------------------------------------------
#!/usr/bin/perl -wT
use strict;
use CGI;
my $q = CGI->new();
$,="\n";
print $q->header(),
$q->start_html(),
$q->startform(),
$q->textfield({ -name => 'name1' , -size => '20' }),
$q->submit(),
$q->end_form(),
$q->end_html();

Output---------------------------------------------------
Use of uninitialized value in length at (eval 8) line 11.
Content-Type: text/html; charset=ISO-8859-1
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
" http://www.yqcomputer.com/ ">
<html xmlns=" http://www.yqcomputer.com/ " lang="en-US"
xml:lang="en-US"><head><title>Untitled Document</title>
</head><body>
<form method="post" action="%2F.%2Fsg1.cgi"
enctype="application/x-www-form-urlencoded">
<input type="text" name="name1" size="20" />
<input type="submit" name=".submit" />
<div>
</div>
</form>
</body></html>

Problem--------------------------------------------------------------
- First
The output "Use of uninitialized value in length at (eval 8) line 11."
Is because in CGI.pm startform this code exists:
if (length($ENV{QUERY_STRING})>0) {
$action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
}
instead of this code:
if (defined($ENV{QUERY_STRING}) && length($ENV{QUERY_STRING})>0
)
{
$action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
}
that's minor and I reported it.

- Second
The real problem is that in startform $action=escape($action) -
I guess this was added because of the cross site scripting fear
debated over at cert and other places. But now I have no forms
working at all because instead of a valid url I get escaped urls
which the server doesn't recognize.

Comments suggestions thrashings all welcomed.
I've looked at and tried autoEscape - it has no impact.
I've looked at and tried all kinds of option flags.
I've looked at CGI.pm and Util.pm but I don't hack.

Since I'm a born again RTFM person I have dutifully searched
everywhere
on the web and in books and have not found anything related to this
other
than the security postings and a sailboat I want to buy.

Steve

--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content.

HOW TO POST to comp.infosystems.www.authoring.cgi:
http://www.yqcomputer.com/
 
 
 

CGI.pm 2.99 startform using CGI::Util escape() and other things

Post by alans » Fri, 15 Aug 2003 04:53:46

KandoCoder < XXXX@XXXXX.COM > writes:
[snip]

I have the same problem. Help?

- Alan

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Alan Schwartz | Disclaimer: I represent no one
< XXXX@XXXXX.COM > |
Asst. Prof. of Clinical Decision Making| Life is what happens to you while
University of Illinois at Chicago | you're busy making other plans
Department of Medical Education | - J. Lennon
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content.

HOW TO POST to comp.infosystems.www.authoring.cgi:
http://www.yqcomputer.com/