<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 29, 2015 at 3:05 AM, <span dir="ltr"><<a href="mailto:dancer-users-request@dancer.pm" target="_blank">dancer-users-request@dancer.pm</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
Well , if end users can insert data into the table somehow, then it's still<br>
vulnerable. Furthermore, if the fields in the table contain special HTML<br>
characters like < , > , & , etc. then it may confuse the browser's HTML parser,<br>
and cause the HTML to not validate. So it's a good idea to escape the fields<br>
anyway when passing them to the output.<br>
</blockquote></div><br>I had problems with taint mode and Dancer2, is that related to this thread?<br><br></div><div class="gmail_extra">My problem is shown by using -T in this:<br><span style="font-family:monospace,monospace">$ perl -T -Ilib t/001_base.t <br>1..1<br>not ok 1 - use CFOO::CBAR;<br># Failed test 'use </span><span style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">CFOO::CBAR</span>;'<br># at t/001_base.t line 5.<br># Tried to use '</span><span style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">CFOO::CBAR</span>'.<br># Error: Unable to load class for Logger component File: Insecure dependency in require while running with -T switch at /usr/local/share/perl/5.20.1/Dancer2/Core/App.pm line 165.<br># BEGIN failed--compilation aborted at lib/</span><span style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">CFOO/CBAR</span>.pm line 7.<br># Compilation failed in require at t/001_base.t line 5.<br># BEGIN failed--compilation aborted at t/001_base.t line 5.<br># Looks like you failed 1 test of 1.</span><br><br></div><div class="gmail_extra">possibly related:<br><a href="https://github.com/PerlDancer/Dancer2/issues/567">https://github.com/PerlDancer/Dancer2/issues/567</a><br><a href="https://github.com/PerlDancer/Dancer2/issues/609">https://github.com/PerlDancer/Dancer2/issues/609</a><br></div><div class="gmail_extra">This latter 609 suggests that the taint problem goes away when using plackup/Starman. I will try to run the tests via plackup/Starman.<br></div><div class="gmail_extra"><br>From the changelog:<br>
* GH #567: Check for proper module names in loading engines. Might help with taint mode. (Sawyer X)<br clear="all"></div><div class="gmail_extra"><br>cheers -- Rick <br>
</div></div>