...
Taint mode also provides a handful of mechanisms to produce untainted data from tainted data. The preferred means of sanitizing tainted data is to use a regex:
| Code Block | ||
|---|---|---|
| ||
my $tainted = # initialized
my $regex = # data is sanitary if it satisfies this
$tainted_data =~ m{($regex)};
my $sanitized_data = $1;
|
...
There are other ways to sanitize tainted data. For instance, hash keys cannot be tainted, so using tainted data as the key to a hash will sanitize it. Perl will also not stop tainted data from being sent to a subroutine or method referenced by a variable, as in:
| Code Block | ||
|---|---|---|
| ||
$obj->$method(@args); |
or
| Code Block | ||
|---|---|---|
| ||
$foo->(@args); |
The specific issue of what data is tainted depends on the execution environment. For example, data read from a database may or may not be considered tainted. Perl's DBI module provides an optional TaintOut attribute. If set, then any data retrieved from a database will be considered tainted.
...