Subject: | potential XSS attack |
Date: | Wed, 21 Oct 2015 16:26:26 +0200 |
To: | bug-Catalyst-Plugin-Session [...] rt.cpan.org |
From: | Martin Spevak <martin.spevak [...] hpe.com> |
When someone fake session id, let day with
12323498<sCrIpT>alert(1)</sCrIpT>
Plugin throws next exception:
my $err = "Tried to set invalid session ID '$sid'";
$c->log->error($err);
Catalyst::Exception->throw($err);
Catalyst inform you with next error message in webpage:
Tried to set invalid session ID '12323498<sCrIpT>alert(1)</sCrIpT>'
Problem is, that some Plugins use filters for HTML characters and some not
For instance:
module/index: Couldn't render template "file error -
module.tt2: not found"
So, I would like to ask if it's possible to escape SID (to have HTML safe string) before is set into error message?
Best regards,
--
*Martin (singer) Spevak*
HPES Software Development Engineer
HPES Network Management Solutions
Location: Galvaniho 7/A, Bratislava, Slovakia
Tel.: +421 2 5752 5390
Email: martin.spevak@hp.com