From: Tomas Doran <bobtfish@bobtfish.net>
Date: Mon, 30 Jan 2012 11:21:59 +0000 (+0000)
Subject: Added fix for RT 63537 (from Gerv) and tests to check it.
X-Git-Tag: 0.96~1
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=8aa1a2eeb6a2f0170ca8548a3862eb874b07238b;p=catagits%2FCatalyst-Action-REST.git

Added fix for RT 63537 (from Gerv) and tests to check it.
---

diff --git a/Changes b/Changes
index 2b0f9df..f1c2d06 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,5 @@
+  Added fix for RT 63537 (from Gerv) and tests to check it.
+
 Wed  04 Jan 2012 19:34:00 GMT - Release 0.95
   Fix regex for JSONP parameter name to be able to include the . chatacter
   in Catalyst::Action::Serialize::JSONP. RT#73741
diff --git a/Makefile.PL b/Makefile.PL
index 8b0ce01..317c0be 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -14,6 +14,7 @@ requires 'namespace::autoclean';
 requires('Catalyst::Runtime'         => '5.80030');
 requires('Params::Validate'          => '0.76');
 requires('YAML::Syck'                => '0.67');
+requires('HTML::Parser'              => undef);
 requires('Module::Pluggable::Object' => undef);
 requires('LWP::UserAgent'            => '2.033');
 requires('Data::Serializer'          => '0.36');
diff --git a/README b/README
index f1259c4..ae77756 100644
--- a/README
+++ b/README
@@ -104,6 +104,10 @@ CONTRIBUTORS
 
     Gavin Henry <ghenry@surevoip.co.uk>
 
+    Gerv http://www.gerv.net/
+
+    Colin Newell <colin@opusvl.com>
+
 COPYRIGHT
     Copyright (c) 2006-2012 the above named AUTHOR and CONTRIBUTORS
 
diff --git a/lib/Catalyst/Action/REST.pm b/lib/Catalyst/Action/REST.pm
index 8568799..b129bf9 100644
--- a/lib/Catalyst/Action/REST.pm
+++ b/lib/Catalyst/Action/REST.pm
@@ -226,6 +226,10 @@ J. Shirley E<lt>jshirley@gmail.comE<gt>
 
 Gavin Henry E<lt>ghenry@surevoip.co.ukE<gt>
 
+Gerv http://www.gerv.net/
+
+Colin Newell <colin@opusvl.com>
+
 =head1 COPYRIGHT
 
 Copyright (c) 2006-2012 the above named AUTHOR and CONTRIBUTORS
diff --git a/lib/Catalyst/Action/Serialize/YAML/HTML.pm b/lib/Catalyst/Action/Serialize/YAML/HTML.pm
index 717108d..d71ce9e 100644
--- a/lib/Catalyst/Action/Serialize/YAML/HTML.pm
+++ b/lib/Catalyst/Action/Serialize/YAML/HTML.pm
@@ -23,7 +23,7 @@ sub execute {
     my $output = "<html>";
     $output .= "<title>" . $app . "</title>";
     $output .= "<body><pre>";
-    my $text = Dump($c->stash->{$stash_key});
+    my $text = HTML::Entities::encode(Dump($c->stash->{$stash_key}));
     # Straight from URI::Find
     my $finder = URI::Find->new(
                               sub {
diff --git a/t/lib/Test/Serialize/Controller/REST.pm b/t/lib/Test/Serialize/Controller/REST.pm
index fa1cac2..8c1d5f2 100644
--- a/t/lib/Test/Serialize/Controller/REST.pm
+++ b/t/lib/Test/Serialize/Controller/REST.pm
@@ -55,4 +55,10 @@ sub monkey_get : Local : ActionClass('Serialize') {
     $c->stash->{'rest'} = { monkey => 'likes chicken!', };
 }
 
+sub xss_get : Local : ActionClass('Serialize') {
+    my ( $self, $c ) = @_;
+    $c->stash->{'rest'} = { monkey => 'likes chicken > sushi!', };
+}
+
+
 1;
diff --git a/t/yaml-html.t b/t/yaml-html.t
index a77f085..bf9bf10 100644
--- a/t/yaml-html.t
+++ b/t/yaml-html.t
@@ -28,6 +28,14 @@ SKIP: {
       request( $t->post( url => '/monkey_put', data => Dump($post_data) ) );
     ok( $mres_post->is_error, "POST to the monkey failed; no deserializer." );
 
+    # xss test - RT 63537
+    my $xss_template =
+"<html><title>Test::Serialize</title><body><pre>--- \nmonkey: likes chicken &gt; sushi!\n</pre></body></html>";
+    my $xres = request( $t->get( url => '/xss_get' ) );
+    ok( $xres->is_success, 'GET the xss succeeded' );
+    is( $xres->content, $xss_template, "GET returned the right data" );
+
+
 }
 1;