Skip Menu |

This queue is for tickets about the Catalyst-Plugin-Session CPAN distribution.

Report information
The Basics
Id: 107902
Status: new
Priority: 0/
Queue: Catalyst-Plugin-Session

People
Owner: Nobody in particular
Requestors: martin.spevak [...] hpe.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: potential XSS attack
Date: Wed, 21 Oct 2015 16:26:26 +0200
To: bug-Catalyst-Plugin-Session [...] rt.cpan.org
From: Martin Spevak <martin.spevak [...] hpe.com>
When someone fake session id, let day with 12323498<sCrIpT>alert(1)</sCrIpT> Plugin throws next exception: my $err = "Tried to set invalid session ID '$sid'"; $c->log->error($err); Catalyst::Exception->throw($err); Catalyst inform you with next error message in webpage: Tried to set invalid session ID '12323498<sCrIpT>alert(1)</sCrIpT>' Problem is, that some Plugins use filters for HTML characters and some not For instance: module/index: Couldn&#39;t render template &quot;file error - module.tt2: not found&quot; So, I would like to ask if it's possible to escape SID (to have HTML safe string) before is set into error message? Best regards, -- *Martin (singer) Spevak* HPES Software Development Engineer HPES Network Management Solutions Location: Galvaniho 7/A, Bratislava, Slovakia Tel.: +421 2 5752 5390 Email: martin.spevak@hp.com