On Tue, Sep 29, 2015 at 3:05 AM, <dancer-users-request@dancer.pm> wrote:

Well , if end users can insert data into the table somehow, then it's still
vulnerable. Furthermore, if the fields in the table contain special HTML
characters like <  , > , & , etc. then it may confuse the browser's HTML parser,
and cause the HTML to not validate. So it's a good idea to escape the fields
anyway when passing them to the output.

I had problems with taint mode and Dancer2, is that related to this thread?

My problem is shown by using -T in this:
$ perl -T -Ilib t/001_base.t
1..1
not ok 1 - use CFOO::CBAR;
#   Failed test 'use CFOO::CBAR;'
#   at t/001_base.t line 5.
#     Tried to use 'CFOO::CBAR'.
#     Error:  Unable to load class for Logger component File: Insecure dependency in require while running with -T switch at /usr/local/share/perl/5.20.1/Dancer2/Core/App.pm line 165.
# BEGIN failed--compilation aborted at lib/CFOO/CBAR.pm line 7.
# Compilation failed in require at t/001_base.t line 5.
# BEGIN failed--compilation aborted at t/001_base.t line 5.
# Looks like you failed 1 test of 1.

possibly related:
https://github.com/PerlDancer/Dancer2/issues/567
https://github.com/PerlDancer/Dancer2/issues/609
This latter 609 suggests that the taint problem goes away when using plackup/Starman. I will try to run the tests via plackup/Starman.

From the changelog:
* GH #567: Check for proper module names in loading engines. Might help with taint mode. (Sawyer X)

cheers -- Rick