Session: encode HTML entities in error

[catagits/Catalyst-Plugin-Session.git] / lib / Catalyst / Plugin / Session.pm

diff --git a/lib/Catalyst/Plugin/Session.pm b/lib/Catalyst/Plugin/Session.pm
index e5967ba..0a2e5ef 100644 (file)
--- a/lib/Catalyst/Plugin/Session.pm
+++ b/lib/Catalyst/Plugin/Session.pm
@@ -9,12 +9,13 @@ use Catalyst::Exception ();
 use Digest              ();
 use overload            ();
 use Object::Signature   ();
+use HTML::Entities      ();
 use Carp;
 use List::Util qw/ max /;
 
 use namespace::clean -except => 'meta';
 
-our $VERSION = '0.38';
+our $VERSION = '0.40';
 $VERSION = eval $VERSION;
 
 my @session_data_accessors; # used in delete_session
@@ -34,6 +35,7 @@ __PACKAGE__->mk_accessors(
           _tried_loading_session_data
           _tried_loading_session_expires
           _tried_loading_flash_data
+          _needs_early_session_finalization
           /
 );
 
@@ -111,6 +113,7 @@ sub finalize_headers {
     # up to date. First call to session_expires will extend the expiry, subs
     # just return the previously extended value.
     $c->session_expires;
+    $c->finalize_session if $c->_needs_early_session_finalization;
 
     return $c->maybe::next::method(@_);
 }
@@ -121,7 +124,8 @@ sub finalize_body {
     # We have to finalize our session *before* $c->engine->finalize_xxx is called,
     # because we do not want to send the HTTP response before the session is stored/committed to
     # the session database (or whatever Session::Store you use).
-    $c->finalize_session;
+    $c->finalize_session unless $c->_needs_early_session_finalization;
+    $c->_clear_session_instance_data;
 
     return $c->maybe::next::method(@_);
 }
@@ -135,7 +139,6 @@ sub finalize_session {
     $c->_save_session;
     $c->_save_flash;
 
-    $c->_clear_session_instance_data;
 }
 
 sub _session_updated {
@@ -478,6 +481,7 @@ sub _load_sessionid {
             $c->_sessionid($sid);
             return $sid;
         } else {
+            $sid = HTML::Entities::encode_entities($sid);
             my $err = "Tried to set invalid session ID '$sid'";
             $c->log->error($err);
             Catalyst::Exception->throw($err);
@@ -1238,7 +1242,7 @@ And countless other contributers from #catalyst. Thanks guys!
 
 Devin Austin (dhoss) <dhoss@cpan.org>
 
-Robert Rothenberg <rrwo@cpan.org>
+Robert Rothenberg <rrwo@cpan.org> (on behalf of Foxtons Ltd.)
 
 =head1 COPYRIGHT & LICENSE