And now for something completely different ...

[Edgar Allen]

Forwarded message:
>
>I have been reading about this new script language Ruby. It looks really
>cool, but I have a few questions (which would be relevant to Perl|Python
>also. It allows regular expressions. My concerns on this are, how can I
>use such a language and protect myself from nasty little blue meanies
>bent on destroying my computer. Say I have an online comments entry web
>page. How do I protect myself from some kid typing in a regular
>expression that resolves to say "rm -rf /".
>
To perform any action like 'rm' the comment text would need to be executed
by an interpreter of some sort.  Such interpretation is always more dangerous
than not executing random user input.

Text entered to web pages should not be executed without some checks being
done first.

Usually text intended for input to further commands first have meta-characters
like '*', ';', '?', and even '%0A' removed to 'sanitize' them.

Know what the input is supposed to look like.  All numeric, single word, or
preset values like monthnames are examples.  Reject any which do not obey
the expected patterns.  Write tests for each pattern separately, do not attempt
to write code to accept/reject more than one at a time because the mix allows
unexpected patterns to slip through.