Skip Menu |

This queue is for tickets about the Catalyst-Manual CPAN distribution.

Report information
The Basics
Id: 62095
Status: resolved
Priority: 0/
Queue: Catalyst-Manual

Owner: HKCLARK [...]
Requestors: RENTOCRON [...]

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

Subject: [with solve] 1: Probability XSS attack 2: persistent message on /login
Hello! Context: First XSS attack was open when adding status_msg to URL ({status_msg => "Book deleted."}) This really don't worries because this technique get removed on next tutorial (when use flash) The solution is add | html on wrapper.tt2 change: <span class="message">[% status_msg || c.request.params.status_msg %]</span> to <span class="message">[% status_msg || c.request.params.status_msg | html %]</span> ------- Two, Context: On /login method (sub index :Path :Args(0) {) when you get logged in, and return to the page, you gotcha the message: "Empty username or password." but, you don't even make a post, because you already are logged. To this message stop to appear unless you don't have post and have logged in, when can add unless condition as: $c->stash(error_msg => "Empty username or password.") unless ($c->user_exists); Thanks
Download (untitled) / with headers
text/plain 147b
Good suggestions. Looks like both have already been implemented as of 5.9000. I also added a clarification note about the XSS issue to Chapter 4.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to