Bug #57819 for Catalyst-Manual: Section entirely wrong and encourages XSS

As reported on irc: 16:58 < guest_007> Hello i am reading http://search.cpan.org/~hkclark/Catalyst-Manual-5.8004/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod#Try_the_Delete_and_Redirect_With_Query_Param_Logic 16:59 < guest_007> What does it mean? The green "Book deleted" status message should return. But notice that you can now hit the "Reload" button in your browser and it just redisplays the book list (and it correctly shows it without the "Book deleted" message on redisplay 17:00 < guest_007> If the msg is in query parameter i can hit reload forever and it will show "Book deleted" This is entirely wrong, as the section above changes the code to embed the message into a query parameter. This is bad, as (a) the explanation is entirely wrong, and clicking 'Reload' will still redisplay the message, (b) this is allowing arbitrary HTML and JS to be injected by the user by putting it into a query parameter - class cross site scripting vulnerability. This should be fixed by putting the message to display into the session, and a unique token into the URI which is used to retrieve the message... Cheers t0m