Release Notes v.902: Basic Perl-Based Comment System for Static Web Pages (2/2) | WebReference

Release Notes v.902: Basic Perl-Based Comment System for Static Web Pages (2/2)

To page 1current page

Simple Comments

Simple Subroutine Sharing via the Module

Two main scripts are provided in our Simple Comments system: the publically accessible script that actually displays approved comments on Web pages, and the administrator script that allows for the approval of those comments as well as the review and editing of already approved comments. The public script should be deployed in a common area of your cgi-bin (or executable script directory) and the administrator script must be deployed in a password protected area of your cgi-bin (or executable script directory). For best security of the admin script, we recommend deploying it on a password protected SSL server, if possible.

Since both of these scripts need many of the same capabilities, we also include a library is used by both scripts and includes multiple subroutines that can be accessed by both. Designing the system in this manner allows us to avoid replicating functionality between the two scripts; if we need, for example, to change the user-submitted data scrubbing routines we can do so in once instead of having to replicate the change in both of the individual scripts (as well as any other scripts we may use to extend the system later). You can find out more about the use of subroutines to reuse Perl code in our earlier primer on the topic; and you can also learn more about the creation of user defined modules in our Perl Module Primer.

A couple notes on our module creation and usage bears examination here. If you compare our actual module to the recommendations we make in our module primer, you'll find a discrepancy: we use a common module name ( instead of attempting to use a unique name for all modules (or a Local name) The reason is that it's highly doubtful our module will have any use outside of our Simple Comments system (its subroutines are specific to the actual needs of the comment scripts), so we thought it would be more helpful to design the module such that it can be delivered with and installed alongside the comment scripts themselves with a minimum amount of fuss (as opposed to forcing the installing of the module in a central directory). Of course, we always recommend that you check with your system administrator before installing any new software, and if this conflicts with your policy you're welcome to make the appropriate naming adjustments.

We use an %EXPORT_TAGS entry to allow for the simple importation of module symbols without forcing them upon the client scripts. For now we've taken the admittedly lazy approach of simply specifying a single tag entry (all) that encapsulates all of the exportable subroutines; i.e., to use all the exportable subroutines from in a script you would just:

use Comments qw(:all);

If you do end up using in your own scripts and prefer not to import everything, you can always do something like this:

use lib qw(/www/yourserver/comments/lib);
use Comments qw(trim to_entities);

Simple Security via Tainting

Each of the scripts in our Simple Comments system is Taint-mode enabled; meaning that it will automatically enforce certain checks on user input if that input can have an influence outside of our Perl scripts (see our earlier Taint Mode Primer for more details). If you're running the scripts in a mod_perl environment, be sure to enable Taint mode in your Apache configuration files.

Because taint mode is enabled, all of our input is also tainted; and several of the values need to be cleansed before they can be used. Actually, we've found that configuration values themselves are not tainted when returned from XML::Simple; but for consistency we check and untaint these as necessary, anyway. And all of our CGI input is tainted, of course.

The checks we enforce on the configuration file include those for the server pathnames and URL identifications for the scripts. Specifically, server pathnames must be absolute (beginning with a slash) and cannot include any relative directory designations. The URL path to the admin and public comment scripts must also be designated from the document root (with a leading slash, or with an explicit http/https domain name).

In addition to those specific checks on pathnames, all of the configuration variables are checked for potentially dangerous shell metacharacters (our current list is ][&;`'\"|*?~<>^(){}$\n\r). These characters, if found, are stripped before the string will be used. If this is a problem in your particular implementation, you'll need to adjust the untaint function in

Another more subtle gotcha in regards to Taint mode is the fact that the "." (dot) directory is removed from the @INC path; which means our provided module must be referenced via a pathname provided via a use lib statement. i.e., we cannot simply place the file in the same directory as the script that calls it because it would not be found after Taint mode removes the dot directory. (Also, we want to place the two scripts in two different places on the server, anyway.)

Other Comments on Simple Comments

In no particular order, here are some other observations on the use and implementation of Simple Comments:

To Do List

The Simple Comments system has left a lot of room for enhancements. Should there be enough interest in the script, some of the enhancements we may consider for implementation at a later time include (but are not limited to):

Of course, with the addition of these types of features our "Simple Comments" script becomes less and less simple, but we'll do our best to keep the script as easy to use--yet as flexible as needed--as possible.


We hope that you enjoy the Simple Comments scripts and that they're useful to you from either a functional standpoint on your own Web server or as a teaching tool in your own Perl education. If you have suggestions for future improvements to the system, please feel free to contact me.

To page 1current page

Created: June 20, 2006
Revised: September 13, 2006