Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 21341
Status: resolved
Priority: 0/
Queue: CGI

Owner: MARKSTOS [...]
Requestors: MARKSTOS [...]

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

Subject: PATCH: Param names not escaped properly in Dump, allowing raw HTML through
Download (untitled) / with headers
text/plain 645b
escapeHTML was not being used on parameter names in Dump. The below patch fixes it. ( escapeHTML was being called, but the escaped value was being ignored!) Mark --- 2006-09-06 03:46:17.000000000 +0200 +++ 2006-09-06 03:44:51.000000000 +0200 @@ -1259,8 +1259,7 @@ push(@result,"<ul>"); foreach $param ($self->param) { my($name)=$self->escapeHTML($param); - push(@result,"<li><strong>$param</strong></li>"); + push(@result,"<li><strong>$name</strong></li>"); push(@result,"<ul>"); foreach $value ($self->param($param)) { $value = $self->escapeHTML($value);
Download (untitled) / with headers
text/plain 437b
I've reconfirmed this issue is still open in 3.43, and I believe this patch is correct and will still apply cleanly. Here's some tests for it. It will show the values are escaped, but the names are currently not: use Test::More 'no_plan'; use CGI; my $cgi = CGI->new('<a>=<b>'); like($cgi->Dump, qr/\Q&lt;a&gt;/, 'param names are HTML escaped by Dump()'); like($cgi->Dump, qr/\Q&lt;b&gt;/, 'param values are HTML escaped by Dump()');
This is now patched in my git repo.
Subject: released, thanks.
I believe this change was released today as part of 3.45. Thanks for the contribution.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to