On Mon, 28 Sep 2015 10:04:51 -0500 Richard Reina <gatorreina@gmail.com> wrote:
2015-09-28 8:54 GMT-05:00 Shlomi Fish <shlomif@shlomifish.org>:
Hi Richard,
replying to the list. Please reply to the list next time - see the last line of my signature.
Sorry, meant to reply to the list.
I see - OK.
<div class="well" style="max-height: 300px;overflow: auto;"> <ul class="list-group fancy-list-items"> <!-- <ul class="list-group checked-list-box"> --> <table style="width:100%"> <% FOREACH Pat IN Pats.values.sort('SNAME') -%> <tr class="list-group-item"> <td width="25"><% Pat.ID %> <td width="70"><% Pat.SNAME %> <td width="75"><% Pat.ANAME %> <td width="35"><% Pat.SSN %> <td width="35"><% Pat.YR %> <td width="250"><% Pat.CHNAME %> <td width="550"><% Pat.DESCRIP %>
1. You're missing the closing tag - "</td>".
Thanks for pointing out. Can't believe I missed that.
You're welcome. Are you validating your output? Do you have automated tests to do it for you?
Validation is a work in progress for me. Trying to find an elegant way to take it out of my Dancer app but that's another story. In this particular case -- the case above -- all of the data is coming from a table via $sth->fetchall_hashref('ID'). I there a still such a vulnerability if it's not user input?
Well , if end users can insert data into the table somehow, then it's still vulnerable. Furthermore, if the fields in the table contain special HTML characters like < , > , & , etc. then it may confuse the browser's HTML parser, and cause the HTML to not validate. So it's a good idea to escape the fields anyway when passing them to the output. Regards, -- Shlomi Fish -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ NSA Factoids - http://www.shlomifish.org/humour/bits/facts/NSA/ One of my most productive days was throwing away 1,000 lines of code. — Ken Thompson (Attributed) Please reply to list if it's a mailing list post - http://shlom.in/reply .