On 3/25/08, LesleyB <[EMAIL PROTECTED]> wrote: > > I'm using the OO form in case that makes any difference. Assuming a > 'my $qry = new CGI;' > > The first sentence > "By default, all HTML that is emitted by the form-generating functions > is passed through a function called escapeHTML(): " > I'm slightly confused by the term 'form-generating' ... does this > specifically mean functions such as start_form, checkbox_group, submit > and end_form and to the exclusion of functions such as $qry->p(...) ? > Or does it include everything uttered between $qry->start_form and > $qry->end_form which might include a $qry->div() or $qry->p() ? > > The statement later in "The automatic escaping does not apply to other > shortcuts, such as h1(). You should call escapeHTML() yourself on > untrusted data in order to protect your pages against nasty tricks > that people may enter into guestbooks, etc.." seems to indicate that > escaping does not happen and I am tempted to consider "form-generating > functions" as those that generate form elements such as radio boxes, > pop-up lists, submit buttons and so on.
"Use the source, Luke". Looking at the source code of CGI.pm indicates that start_html() escapes the "title" attribute, but nothing else. start_form(), textarea(), textfield(), button(), submit(), reset(), defaults(), checkbox(), checkbox_group(), popup_menu(), optgroup(), scrolling_list(), hidden(), and image_button() all escape all the interesting parameters. Nothing else calls escapeHTML. -- Mark Wagner -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/
