I've recently been learning perl and am wondering what frameworks are available for creating a web app. I'm m开发者_高级运维ostly concerned about security, so if there are any security-specific web frameworks you'd recommend, I'd be more interested in those.
Currently accepted answer from thread below
This thread on perlmonks has some info regarding Catalyst (which is the most modern/powerful Perl Web development framework) in security context.
For overall comparison, there are several of them linked in "Comparisons" section of Web Frameworks/Perl5 Wiki
Also, please remember that the main problem security wise is the developer - you can write hole-ridden code in the most secure framework if you don't have proper security-centric outlook in your development (that was the main point given to us in our secure web development training, and I happen to agree).
Also, as per Brian's question in the comment, these are a couple of helpful general "web security in Perl" links:
- CGI Programming with Perl book (Duh) - Chapter 8. Security
- W3C CGI Security FAQ - especially Q14 and Q15 (exec and taint checks)
- Security Issues in Perl Scripts
- Perl Security and Regular Expressions
There are plenty of frameworks, some of the more popular ones are Catalyst, Web::Simple and CGI::Application. Catalyst is the more complex and powerful one, well suited to big web applications.
There's a few others that I can think of, too:
- Mojolicious, a small and powerful framework, with descriptions on their website.
- Dancer, a framework similar to Mojolicious that is designed to make it easy to get started with nothing other than its framework.
In fact, there's a bit of a competition going on between Mojolicious and Dancer right now to be the new framework to build the new CPAN Top 100 website:
- Competition Announcement
- Week 1: Install, Support, Hello World
- Week 2: Templates
In addition to just the web frameworks, check out the perlsec doc in your perldoc kit. It talks about all the features Perl has for creating secure, protected code. The biggest one is taint mode, in which strings from any insecure place are marked internally, and if used without being processed (usually with a regex), throw warnings or errors. This language feature can help you catch possible problems with reading from untrustable locations.
Another resource is the Template Toolkit. This gives you a formatting / templating tool for your webpages. From their site:
The Template Toolkit is a fast, flexible and highly extensible template processing system. It is Free (in both senses: free beer and free speech), Open Source software and runs on virtually every modern operating system known to man. It is mature, reliable and well documented, and is used to generate content for countless web sites ranging from the very small to the very large.
精彩评论