| Subject: | [with solve] 1: Probability XSS attack 2: persistent message on /login |
Hello!
Context:
http://search.cpan.org/~hkclark/Catalyst-Manual-5.8004/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
First XSS attack was open when adding status_msg to URL ({status_msg =>
"Book deleted."})
This really don't worries because this technique get removed on next
tutorial (when use flash)
The solution is add | html on wrapper.tt2
change: <span class="message">[% status_msg ||
c.request.params.status_msg %]</span>
to <span class="message">[% status_msg || c.request.params.status_msg |
html %]</span>
-------
Two,
Context:
http://search.cpan.org/~hkclark/Catalyst-Manual-5.8004/lib/Catalyst/Manual/Tutorial/05_Authentication.pod
On /login method (sub index :Path :Args(0) {) when you get logged in,
and return to the page, you gotcha the message: "Empty username or
password." but, you don't even make a post, because you already are logged.
To this message stop to appear unless you don't have post and have
logged in, when can add unless condition as:
$c->stash(error_msg => "Empty username or password.") unless
($c->user_exists);
Thanks