The only way to derive untainted data from tainted data is to perform a regular expression match with capturing parentheses on it and use the resulting $1, $2, etc. It is assumed that if you have gone to this much trouble, you have constructed a regular expression that will result in safe data. Perl does not and cannot check that you have really done so. If you simply do ($untainted) = $tainted =~ /(.*)/s; then this is the equivalent of putting a gun to your head and pulling the trigger without looking in the chamber first. Create CGI programs with taint checking from the beginning. Retrofitting -Tonto existing programs is tedious and frustrating. Taint mode is utterly paranoid. One of the consequences of environment variables being tainted is that your path is tainted, so any attempt to run an external program fails with an insecuredependencyinpath unless you untaint $ENV{PATH}, which usually means setting it explicitly to a (colon- or semicolon-separated) list of directories you trust. 13.5.2 Debugging in Taint Mode If you syntax check a program that has -Tin its #! line, you’ll see something like this: $ perl -c foo.cgi Too late for “-T” option at foo.cgi line 1. This is caused by an obscure feature of Perl’s implementation that requires taint mode to be turned on really early in its startup process. (If you remembered Perl of Wisdom #10 Use use diagnostics to explain error messages you would have seen the explanation.) Just add -T: $ perl -cT foo.cgi 13.6 Heading Off Errors The output of your program is usually parsed through the Web server (unless you use the increasingly rare nph feature), which adds headers like a status line (unless you provide one yourself), a server identification line, and a date. The essential header for you to remember is Content-type: you must output this one. (Weeell the complete truth is more complicated, but of little use. You can output any number of lines that look like headers [any line containing a colon with at least one nonspace character on either side, based on experimentation], and these lines are faithfully passed on by the server as though they actually mean something. As long as you output a blank line before your content, it’ll make it through; if you don’t output a Content-type header, some servers will put one on for you [set to text/plain]; some browsers interpret the absence of a Content-type header to mean it is of type text/html. This is of academic interest at best.)
Note: If you are looking for cheap and inexpensive provider to host and run your tomcat application check Actions tomcat hosting services