Taint mode (cont)

Use regexps to untaint data

   $text = param('email');
   if ( $text = / ^ ( [^@]+ @ [-a-z0-9.]+ ) $ /ix )  {
      $email_addr = $1;
   } else {
      bail "Email address isn't in even vaguely valid format"
   }

   # $email_addr now untainted
   # $text still tainted

   open SENDMAIL, "|/usr/bin/sendmail -t" or bail "sendmail";
   print SENDMAIL <<EOM;
   To: $email_addr
   Subject: whatever
   ...