Environment variables with Newlines

[P E Schoen]

I have a form with input variables which are submitted to a Perl script by
POST, but one of them is a TextArea which accepts multiline user input that
may contain Newline characters. When these are encountered, an error occurs
which is "malformed header", although the data is still correctly inserted
in a text field of the database.

This data will be used to create HTML web pages, so the Newline characters
could be replaced by <br> tags using Javascript. Or is there a better way to
do this?

Thanks,

Paul

 

[Jukka K. Korpela]

I have a form with input variables which are submitted to a Perl
script by POST, but one of them is a TextArea which accepts multiline
user input that may contain Newline characters. When these are
encountered, an error occurs which is "malformed header", although
the data is still correctly inserted in a text field of the database.

Which software reports such an error?

By the specifications, and in practice, a newline entered in a textarea is
converted, by a browser, to the canonical form CR LF which in turn becomes
%0D%0A, in the default encoding for form data. So your Perl script should be
written so that it properly handles this. Doesn't the library you're using
do this automatically?

This data will be used to create HTML web pages, so the Newline
characters could be replaced by <br> tags using Javascript. Or is
there a better way to do this?

Of course - such things should be done server-side, in your Perl script in
this case. But the details depend on how newlines in textarea are supposed
to affect the outcome. If you really want to preserve the exact division
into lines in the user input (which would be rather questionable, though
perhaps meaningful in some special cases), then you could use <pre> markup.
But this also depends on how the HTML document is to be generated.

 

[P E Schoen]

"Jukka K. Korpela" wrote in message

Which software reports such an error?

It is in the error logs of the server:
malformed header from script.
Bad header=Carriage Return Bad?: EventProcessor.pl,
referer: http://www.pauleschoen.com/SCGBG/EventSubmit.htm

By the specifications, and in practice, a newline entered in a textarea is
converted, by a browser, to the canonical form CR LF which in turn becomes
%0D%0A, in the default encoding for form data. So your Perl script should
be written so that it properly handles this. Doesn't the library you're
using do this automatically?

I thought this was happening when the script was reading the environment
variables. But now I think it may be the generation of the HTML to stdin.
This is done in a heredoc as follows:

Content-type: text/html

<html><body>
<br>$in{'Entry_Description'}</br></p>

This is where the user gets a message that the form data has been processed.
But the error causes a Server error message to be displayed instead. This is
done as a final step after all other input processing has been done, and all
of that seems to be OK.

Of course - such things should be done server-side, in your Perl script in
this case. But the details depend on how newlines in textarea are supposed
to affect the outcome. If you really want to preserve the exact division
into lines in the user input (which would be rather questionable, though
perhaps meaningful in some special cases), then you could use <pre>
markup. But this also depends on how the HTML document is to be generated.

Well, I added the <pre> tag, and it works!

Thanks!

Paul

 

[Beauregard T. Shagnasty]

I have a form with input variables which are submitted to a Perl
script by POST, but one of them is a TextArea which accepts multiline
user input that may contain Newline characters. When these are
encountered, an error occurs which is "malformed header", although
the data is still correctly inserted in a text field of the database.

This data will be used to create HTML web pages, so the Newline
characters could be replaced by <br> tags using Javascript. Or is
there a better way to do this?

As Jukka suggests, do it server-side. I use PHP, not Perl; there should
be an equivalent to this:

$ccomment = str_replace(Chr(10), "<br>", $ccomment);
echo $ccomment;

Of course, fill in the rest of your display goodies .. <div>s and CSS
and whatevers.

 

[P E Schoen]

"P E Schoen" wrote in message

"Jukka K. Korpela" wrote in message

It is in the error logs of the server:
malformed header from script.
Bad header=Carriage Return Bad?: EventProcessor.pl,
referer: http://www.pauleschoen.com/SCGBG/EventSubmit.htm

I thought this was happening when the script was reading the
environment variables. But now I think it may be the generation
of the HTML to stdin. This is done in a heredoc as follows:

Content-type: text/html

<html><body>

Well, I added the <pre> tag, and it works!

Actually, that only masked the real culprit, which was as follows:

<h4>Times: $in{'Entry_Start_DOW,'} $in{'Entry_Start_DT'} to ...

I noticed that the Entry_Start_DOW input variable was not displayed, and I
saw the error when I examined the Perl code. I changed this code a little
bit and the comma got into the reference for the input variable.

When I was testing the form, I played around with adding HTML tags on the
user end, and I found that they work as expected to change fonts and colors,
and even to display an image with an <img src=url> tag. But that caused me
to contemplate what could happen if someone put malicious content into the
text area. It could be some nasty JavaScript or a redirect to a hostile
website or any number of scary scenarios. And even just a simple error or
typo could mess up the entire HTML document being created.

So, I think I will need to remove any HTML tags, or do some careful
validation of the user input. Now I'm starting to understand how there can
be security risks when a user is allowed the freedom to enter useful but
potentially dangerous content.

Thanks,

Paul