[sf-perl] input validation module sought

Dan Lyke danlyke at flutterby.com
Tue Sep 23 12:41:05 PDT 2008

On Mon, 22 Sep 2008 12:25:54 -0700
ken uhl <kenuhl at berkeley.edu> wrote:
> Hi, I am looking for a module to do input validation to protect
> against SQL insertions

As others have mentioned, bound variables are your friend, though
because I started doing this stuff back in the days when bound
variables didn't well work on all drivers, the $dbh->quote(...) method
also works nicely.

> HTML insertions
> javascript insertions

These are a slightly more challenging problem. I've let my code to do
this diverge from the stuff I've published, but the roughly the system
which has run my web site for 8 years or so is at

If nobody comes up with a supported CPAN module that does all the right
stuff you might take a look at it. It shows its age, I should really sit
down and rework it with what I've learned of Perl since, actually
document the thing, maybe even figure out how to make a CPAN module,
but the guts of it are in Flutterby/Parse/Text.pm and

Create a new parser with:

   my $p = Flutterby::Parse::HTML->new();

Create a tree (which is just like the ones that come in off of the XML
parser) with:

   my $tree = $p->parse("some text mixed with html goes here");

Create an outputter:

   my $out = Flutterby::Output::HTML->new();

and there are various options for outputting to strings or whatever, and
then output it:


You might also want to find a subset of the tree if you're outputting
this HTML inside other HTML:

   if ($node = Flutterby::Tree::Find::nodeChildInfo($tree,'body'))
      @tree = @$node;
      shift @tree;

The Perl ain't great, there's a lot I'd like to rework it to do, but it
does a semi-decent job of taking text user input, guessing what they
meant, keeping them from doing anything malicious, and outputting
conforming and validating HTML. I think there's one hole that should
get plugged, if you get that far I'll happily discuss plugging it with

If Perl were my business or I had gobs of spare time I'd rework it so
that it worked on a pipe rather than a tree-in-memory model, and I know
that the actual running code has an expanded amount of HTML it'll let
the user do, but that's where I've gotten to and it still runs.

I think I've put a GPL license on that, but it's all my code and I'll
happily work with you to provide a suitable written copyright notice
if you may need to integrate it into something that isn't GPL-able (I
know that sometimes it's difficult to get suits to sign off on random
code from the 'net).


More information about the SanFrancisco-pm mailing list