Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 21341
Status: resolved
Priority: 0/
Queue: CGI
People
Owner: MARKSTOS [...] cpan.org
Requestors: MARKSTOS [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Sep 05 21:50:36 2006 MARKSTOS [...] cpan.org - Ticket created
Subject: PATCH: Param names not escaped properly in Dump, allowing raw HTML through
escapeHTML was not being used on parameter names in Dump. The below patch fixes it. ( escapeHTML was being called, but the escaped value was being ignored!) Mark --- CGI.pm 2006-09-06 03:46:17.000000000 +0200 +++ CGI.pm.new 2006-09-06 03:44:51.000000000 +0200 @@ -1259,8 +1259,7 @@ push(@result,"<ul>"); foreach $param ($self->param) { my($name)=$self->escapeHTML($param); - push(@result,"<li><strong>$param</strong></li>"); + push(@result,"<li><strong>$name</strong></li>"); push(@result,"<ul>"); foreach $value ($self->param($param)) { $value = $self->escapeHTML($value);
  Tue Jul 21 21:34:56 2009 MARKSTOS [...] cpan.org - Taken
  Tue Jul 21 21:38:48 2009 MARKSTOS [...] cpan.org - Correspondence added
I've reconfirmed this issue is still open in 3.43, and I believe this patch is correct and will still apply cleanly. Here's some tests for it. It will show the values are escaped, but the names are currently not: use Test::More 'no_plan'; use CGI; my $cgi = CGI->new('<a>=<b>'); like($cgi->Dump, qr/\Q&lt;a&gt;/, 'param names are HTML escaped by Dump()'); like($cgi->Dump, qr/\Q&lt;b&gt;/, 'param values are HTML escaped by Dump()');
  Tue Jul 21 21:38:49 2009 MARKSTOS [...] cpan.org - Status changed from 'new' to 'open'
  Wed Aug 12 21:50:54 2009 MARKSTOS [...] cpan.org - Correspondence added
This is now patched in my git repo.
  Wed Aug 12 21:50:56 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'patched'
  Fri Aug 14 21:41:20 2009 MARKSTOS [...] cpan.org - Correspondence added
Subject: released, thanks.
I believe this change was released today as part of CGI.pm 3.45. Thanks for the contribution.
  Fri Aug 14 21:41:20 2009 The RT System itself - Status changed from 'patched' to 'open'
  Fri Aug 14 21:41:21 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri May 23 14:28:43 2014 The RT System itself - Queue changed from CGI.pm to CGI