projects / catagits/Catalyst-Runtime.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw
HTML encode the link in the 302 redirect page to prevent XSS.
[catagits/Catalyst-Runtime.git] / lib / Catalyst.pm
diff --git a/lib/Catalyst.pm b/lib/Catalyst.pm
index 18a0f35..0b2c012 100644 (file)
--- a/lib/Catalyst.pm
+++ b/lib/Catalyst.pm
@@ -23,6 +23,7 @@ use Path::Class::File ();
 use URI ();
 use URI::http;
 use URI::https;
+use HTML::Entities;
 use Tree::Simple qw/use_weak_refs/;
 use Tree::Simple::Visitor::FindByUID;
 use Class::C3::Adopt::NEXT;
@@ -1869,6 +1870,7 @@ sub finalize_headers {
 
         if ( !$response->has_body ) {
             # Add a default body if none is already present
+            my $encoded_location = encode_entities($location);
             $response->body(<<"EOF");
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml"> 
@@ -1876,7 +1878,7 @@ sub finalize_headers {
     <title>Moved</title>
   </head>
   <body>
-     <p>This item has moved <a href="$location">here</a>.</p>
+     <p>This item has moved <a href="$encoded_location">here</a>.</p>
   </body>
 </html>
 EOF
The Perl MVC Framework (catagits@git.shadowcat.co.uk:Catalyst-Runtime.git)