+ Added fix for RT 63537 (from Gerv) and tests to check it.
+
Wed 04 Jan 2012 19:34:00 GMT - Release 0.95
Fix regex for JSONP parameter name to be able to include the . chatacter
in Catalyst::Action::Serialize::JSONP. RT#73741
requires('Catalyst::Runtime' => '5.80030');
requires('Params::Validate' => '0.76');
requires('YAML::Syck' => '0.67');
+requires('HTML::Parser' => undef);
requires('Module::Pluggable::Object' => undef);
requires('LWP::UserAgent' => '2.033');
requires('Data::Serializer' => '0.36');
Gavin Henry <ghenry@surevoip.co.uk>
+ Gerv http://www.gerv.net/
+
+ Colin Newell <colin@opusvl.com>
+
COPYRIGHT
Copyright (c) 2006-2012 the above named AUTHOR and CONTRIBUTORS
Gavin Henry E<lt>ghenry@surevoip.co.ukE<gt>
+Gerv http://www.gerv.net/
+
+Colin Newell <colin@opusvl.com>
+
=head1 COPYRIGHT
Copyright (c) 2006-2012 the above named AUTHOR and CONTRIBUTORS
my $output = "<html>";
$output .= "<title>" . $app . "</title>";
$output .= "<body><pre>";
- my $text = Dump($c->stash->{$stash_key});
+ my $text = HTML::Entities::encode(Dump($c->stash->{$stash_key}));
# Straight from URI::Find
my $finder = URI::Find->new(
sub {
$c->stash->{'rest'} = { monkey => 'likes chicken!', };
}
+sub xss_get : Local : ActionClass('Serialize') {
+ my ( $self, $c ) = @_;
+ $c->stash->{'rest'} = { monkey => 'likes chicken > sushi!', };
+}
+
+
1;
request( $t->post( url => '/monkey_put', data => Dump($post_data) ) );
ok( $mres_post->is_error, "POST to the monkey failed; no deserializer." );
+ # xss test - RT 63537
+ my $xss_template =
+"<html><title>Test::Serialize</title><body><pre>--- \nmonkey: likes chicken > sushi!\n</pre></body></html>";
+ my $xres = request( $t->get( url => '/xss_get' ) );
+ ok( $xres->is_success, 'GET the xss succeeded' );
+ is( $xres->content, $xss_template, "GET returned the right data" );
+
+
}
1;