Arguments to C<print> and C<syswrite> are B<not> checked for taintedness.
+=item *
+
+Symbolic methods
+
+ $obj->$method(@args);
+
+and symbolic sub references
+
+ &{$foo}(@args);
+ $foo->(@args);
+
+are not checked for taintedness. This requires extra carefulness
+unless you want external data to affect your control flow. Unless
+you carefully limit what these symbolic values are, people are able
+to call functions B<outside> your Perl code, such as POSIX::system,
+in which case they are able to run arbitrary external code.
+
=back
The value of an expression containing tainted data will itself be
best way to call something that might be subjected to shell escapes: just
never call the shell at all.
- use English;
+ use English '-no_match_vars';
die "Can't fork: $!" unless defined($pid = open(KID, "-|"));
if ($pid) { # parent
while (<KID>) {
blah." You should see a lawyer to be sure your licence's wording will
stand up in court.
+=head2 Unicode
+
+Unicode is a new and complex technology and one may easily overlook
+certain security pitfalls. See L<perluniintro> for an overview and
+L<perlunicode> for details, and L<perlunicode/"Security Implications
+of Unicode"> for security implications in particular.
+
=head1 SEE ALSO
L<perlrun> for its description of cleaning up environment variables.