I understand the need to sanitize inputs from a HTML form, but when I sanitized the file upload field in a recent module of mine, the file upload started failing. It's important to sanitize all form inputs, right? Even the special file upload field?
My form output code looks something like this:
use CGI;
my $cgi = new CGI;
print $cgi->header();
# ... print some HTML here
print $cgi->start_form();
print $cgi->filefield(-name=>'uploaded_file',
-size=>50,
-maxlength=>80);
print $cgi->submit(-name=>'continue',
-value=>'Continue');
print $cgi->end_form();
# ... print some more HTML here
And my sanitization code looks something like this (it's actually earlier in the same module as above):
use HTML::Entities
my $OK_CHARS => 'a-zA-Z0-9 .,-_';
foreach my $param_name ( $cgi->param() ) {
my $original_content = $cgi->param($param_name);
my $replaced_content = HTML::Entities::decode( $original_content );
$replaced_content =~ s/[^$OK_CHARS]//go;
$cgi->param( $param_name, $replaced_content );
}
When I added the sanitization code recently, the file upload started failing. The filehandle is returning undefined now in this line:
my $uploadedFilehandle = $cgi->upload('uploaded_file');
So did I do something wrong in the sanitization code? I got that code snippet from the Internet somewhere, so I don't completely understand it all. I've never seen an 'o' regex modifier before and I've never used the HTML::Entities module before.