[dancer-users] XSS
Rick Leir
richard.leir at canadiana.ca
Tue Sep 29 15:01:53 BST 2015
On Tue, Sep 29, 2015 at 3:05 AM, <dancer-users-request at dancer.pm> wrote:
>
> Well , if end users can insert data into the table somehow, then it's still
> vulnerable. Furthermore, if the fields in the table contain special HTML
> characters like < , > , & , etc. then it may confuse the browser's HTML
> parser,
> and cause the HTML to not validate. So it's a good idea to escape the
> fields
> anyway when passing them to the output.
>
I had problems with taint mode and Dancer2, is that related to this thread?
My problem is shown by using -T in this:
$ perl -T -Ilib t/001_base.t
1..1
not ok 1 - use CFOO::CBAR;
# Failed test 'use CFOO::CBAR;'
# at t/001_base.t line 5.
# Tried to use 'CFOO::CBAR'.
# Error: Unable to load class for Logger component File: Insecure
dependency in require while running with -T switch at
/usr/local/share/perl/5.20.1/Dancer2/Core/App.pm line 165.
# BEGIN failed--compilation aborted at lib/CFOO/CBAR.pm line 7.
# Compilation failed in require at t/001_base.t line 5.
# BEGIN failed--compilation aborted at t/001_base.t line 5.
# Looks like you failed 1 test of 1.
possibly related:
https://github.com/PerlDancer/Dancer2/issues/567
https://github.com/PerlDancer/Dancer2/issues/609
This latter 609 suggests that the taint problem goes away when using
plackup/Starman. I will try to run the tests via plackup/Starman.
>From the changelog:
* GH #567: Check for proper module names in loading engines. Might help
with taint mode. (Sawyer X)
cheers -- Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20150929/5933a31e/attachment.html>
More information about the dancer-users
mailing list