Without this, it's possible to self-XSS by trying to set a session id to
something like `</script><svg/onload='alert("xss")'>`.
use Digest ();
use overload ();
use Object::Signature ();
+use HTML::Entities ();
use Carp;
use List::Util qw/ max /;
$c->_sessionid($sid);
return $sid;
} else {
+ $sid = HTML::Entities::encode_entities($sid);
my $err = "Tried to set invalid session ID '$sid'";
$c->log->error($err);
Catalyst::Exception->throw($err);