[dancer-users] XSS

Rick Leir richard.leir at canadiana.ca
Tue Sep 29 15:01:53 BST 2015

On Tue, Sep 29, 2015 at 3:05 AM, <dancer-users-request at dancer.pm> wrote:

> Well , if end users can insert data into the table somehow, then it's still
> vulnerable. Furthermore, if the fields in the table contain special HTML
> characters like <  , > , & , etc. then it may confuse the browser's HTML
> parser,
> and cause the HTML to not validate. So it's a good idea to escape the
> fields
> anyway when passing them to the output.

I had problems with taint mode and Dancer2, is that related to this thread?

My problem is shown by using -T in this:
$ perl -T -Ilib t/001_base.t
not ok 1 - use CFOO::CBAR;
#   Failed test 'use CFOO::CBAR;'
#   at t/001_base.t line 5.
#     Tried to use 'CFOO::CBAR'.
#     Error:  Unable to load class for Logger component File: Insecure
dependency in require while running with -T switch at
/usr/local/share/perl/5.20.1/Dancer2/Core/App.pm line 165.
# BEGIN failed--compilation aborted at lib/CFOO/CBAR.pm line 7.
# Compilation failed in require at t/001_base.t line 5.
# BEGIN failed--compilation aborted at t/001_base.t line 5.
# Looks like you failed 1 test of 1.

possibly related:
This latter 609 suggests that the taint problem goes away when using
plackup/Starman. I will try to run the tests via plackup/Starman.

>From the changelog:
* GH #567: Check for proper module names in loading engines. Might help
with taint mode. (Sawyer X)

cheers -- Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20150929/5933a31e/attachment.html>

More information about the dancer-users mailing list