[ic] [loop-code] interpolation = security risk?
Jon Jensen
jon at endpoint.com
Thu Oct 23 00:32:10 UTC 2014
On Wed, 22 Oct 2014, Grant wrote:
> I see that cgi.coretag escapes "[". Do you remember where else this is
> done?
No, but it's in the core in several places IIRC.
> It's also worth mentioning that I can't figure out what line 2 here
> accomplishes (from cgi.coretag):
>
> # Eliminate any Interchange tags
> $value =~ s~<([A-Za-z]*[^>]*\s+[Mm][Vv]\s*=\s*)~<$1~g;
Do you mean ^ that line? I believe covers MVASP tags, an ancient and
rarely-used MiniVend alternative tag method. Mike Heins would probably
remember better than I do, though.
> Any kind of a wrapper for IC5 available or planned?
Not that I know of. Part of the reason for moving from IC5 to IC6 is that
IC5 is a big monolith that is very hard to take only part of, and the
whole thing is its own world.
> Is porting basically a rewrite?
Yes, though the more Perl you've used in IC5, the easier it'll be to bring
that logic over.
Jon
--
Jon Jensen
End Point Corporation
https://www.endpoint.com/
More information about the interchange-users
mailing list