line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Dancer::Plugin::EscapeHTML; |
2
|
|
|
|
|
|
|
|
3
|
2
|
|
|
2
|
|
386303
|
use warnings; |
|
2
|
|
|
|
|
6
|
|
|
2
|
|
|
|
|
78
|
|
4
|
2
|
|
|
2
|
|
13
|
use strict; |
|
2
|
|
|
|
|
3
|
|
|
2
|
|
|
|
|
70
|
|
5
|
|
|
|
|
|
|
|
6
|
2
|
|
|
2
|
|
1831
|
use Dancer::Plugin; |
|
2
|
|
|
|
|
97577
|
|
|
2
|
|
|
|
|
212
|
|
7
|
2
|
|
|
2
|
|
1067
|
use Dancer qw(:syntax); |
|
2
|
|
|
|
|
228892
|
|
|
2
|
|
|
|
|
14
|
|
8
|
|
|
|
|
|
|
|
9
|
2
|
|
|
2
|
|
3514
|
use HTML::Entities; |
|
2
|
|
|
|
|
17942
|
|
|
2
|
|
|
|
|
229
|
|
10
|
2
|
|
|
2
|
|
25
|
use Scalar::Util qw(blessed reftype); |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
1190
|
|
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
our $VERSION = '0.22'; |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
=head1 NAME |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
Dancer::Plugin::EscapeHTML - Escape HTML entities to avoid XSS vulnerabilities |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
=head1 SYNOPSIS |
20
|
|
|
|
|
|
|
|
21
|
|
|
|
|
|
|
This plugin provides convenience keywords C and |
22
|
|
|
|
|
|
|
C which are simply quick shortcuts to C |
23
|
|
|
|
|
|
|
and C from L. |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
|
26
|
|
|
|
|
|
|
use Dancer::Plugin::EscapeHTML; |
27
|
|
|
|
|
|
|
|
28
|
|
|
|
|
|
|
my $encoded = escape_html($some_html); |
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
It also provides optional automatic escaping of all HTML (see below.) |
32
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
|
34
|
|
|
|
|
|
|
=head1 DESCRIPTION |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
This plugin is intended to provide a quick and simple way to ensure that |
37
|
|
|
|
|
|
|
HTML passed in the tokens hashref to the template is safely escaped (encoded), |
38
|
|
|
|
|
|
|
thereby helping to avoid |
39
|
|
|
|
|
|
|
L. |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
You can encode specific bits of data yourself using the C and |
42
|
|
|
|
|
|
|
C keywords, or you can enable automatic escaping of all values |
43
|
|
|
|
|
|
|
passed to the template. |
44
|
|
|
|
|
|
|
|
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
=head1 KEYWORDS |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
When the plugin is loaded, the following keywords are exported to your app: |
49
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
|
=head2 escape_html |
51
|
|
|
|
|
|
|
|
52
|
|
|
|
|
|
|
Encodes HTML entities; shortcut to C from L |
53
|
|
|
|
|
|
|
|
54
|
|
|
|
|
|
|
=cut |
55
|
|
|
|
|
|
|
|
56
|
|
|
|
|
|
|
register 'escape_html' => sub { |
57
|
1
|
|
|
1
|
|
4895
|
return HTML::Entities::encode_entities(@_); |
58
|
|
|
|
|
|
|
}; |
59
|
|
|
|
|
|
|
|
60
|
|
|
|
|
|
|
|
61
|
|
|
|
|
|
|
=head2 unescape_html |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
Decodes HTML entities; shortcut to C from L |
64
|
|
|
|
|
|
|
|
65
|
|
|
|
|
|
|
=cut |
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
register 'unescape_html' => sub { |
68
|
0
|
|
|
0
|
|
0
|
return HTML::Entities::decode_entities(@_); |
69
|
|
|
|
|
|
|
}; |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
=head1 Automatic HTML encoding |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
If desired, you can also enable automatic HTML encoding of all params passed to |
74
|
|
|
|
|
|
|
templates. |
75
|
|
|
|
|
|
|
|
76
|
|
|
|
|
|
|
If you're using Template Toolkit, you may wish to look instead at |
77
|
|
|
|
|
|
|
L which takes care of this reliably at the template |
78
|
|
|
|
|
|
|
engine level, and is more widely-used and tested than this module. |
79
|
|
|
|
|
|
|
|
80
|
|
|
|
|
|
|
To arrange for this plugin to automatically encode HTML entities, enable the |
81
|
|
|
|
|
|
|
automatic_encoding option in your app's config - for instance, add the |
82
|
|
|
|
|
|
|
following to your C: |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
plugins: |
85
|
|
|
|
|
|
|
EscapeHTML: |
86
|
|
|
|
|
|
|
automatic_escaping: 1 |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
Now, all values passed to the template will be automatically encoded, so you |
89
|
|
|
|
|
|
|
should be protected from potential XSS vulnerabilities. |
90
|
|
|
|
|
|
|
|
91
|
|
|
|
|
|
|
Of course, this has the drawback that you cannot provide pre-prepared HTML in |
92
|
|
|
|
|
|
|
template params to be used "as is". You can get round this by using the |
93
|
|
|
|
|
|
|
C option to provide a pattern to match token names which should |
94
|
|
|
|
|
|
|
be exempted from automatic escaping - for example: |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
plugins: |
97
|
|
|
|
|
|
|
EscapeHTML: |
98
|
|
|
|
|
|
|
automatic_escaping: 1 |
99
|
|
|
|
|
|
|
exclude_pattern: '_html$' |
100
|
|
|
|
|
|
|
|
101
|
|
|
|
|
|
|
The above would exclude token names ending in C<_html> from being escaped. |
102
|
|
|
|
|
|
|
|
103
|
|
|
|
|
|
|
By default, blessed objects being passed to the template will be left |
104
|
|
|
|
|
|
|
unmolested, as digging around in the internals of the object is probably not |
105
|
|
|
|
|
|
|
wise or desirable. However, if you do want this to be done, set the |
106
|
|
|
|
|
|
|
C setting to a true value, and objects will be treated just |
107
|
|
|
|
|
|
|
like any other hashref/arrayref. |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
=cut |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
my $exclude_pattern; |
112
|
|
|
|
|
|
|
my $traverse_objects; |
113
|
|
|
|
|
|
|
my %seen; |
114
|
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
hook before_template_render => sub { |
116
|
|
|
|
|
|
|
my $tokens = shift; |
117
|
|
|
|
|
|
|
my $config = plugin_setting; |
118
|
|
|
|
|
|
|
return unless $config->{automatic_escaping}; |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
# compile $exclude_pattern once per template call |
121
|
|
|
|
|
|
|
$exclude_pattern = exists $config->{exclude_pattern} |
122
|
|
|
|
|
|
|
? qr/$config->{exclude_pattern}/ |
123
|
|
|
|
|
|
|
: undef; |
124
|
|
|
|
|
|
|
|
125
|
|
|
|
|
|
|
$traverse_objects = $config->{traverse_objects}; |
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
# flush seen cache |
128
|
|
|
|
|
|
|
%seen = (); |
129
|
|
|
|
|
|
|
|
130
|
|
|
|
|
|
|
$tokens = _encode($tokens); |
131
|
|
|
|
|
|
|
}; |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
# Encode values, recursing down into hash/arrayrefs. |
134
|
|
|
|
|
|
|
sub _encode { |
135
|
226
|
|
|
226
|
|
308
|
my $in = shift; |
136
|
|
|
|
|
|
|
|
137
|
226
|
100
|
|
|
|
426
|
return unless defined $in; # avoid interpolation warnings |
138
|
|
|
|
|
|
|
|
139
|
215
|
100
|
|
|
|
594
|
return HTML::Entities::encode_entities($in) |
140
|
|
|
|
|
|
|
unless ref $in; |
141
|
|
|
|
|
|
|
|
142
|
53
|
100
|
|
|
|
131
|
return $in |
143
|
|
|
|
|
|
|
if exists $seen{scalar $in}; # avoid reference loops |
144
|
|
|
|
|
|
|
|
145
|
51
|
|
|
|
|
118
|
$seen{scalar $in} = 1; |
146
|
|
|
|
|
|
|
|
147
|
51
|
100
|
100
|
|
|
421
|
if (ref $in eq 'ARRAY' |
|
|
100
|
66
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
|
66
|
|
|
|
|
148
|
|
|
|
|
|
|
or ($traverse_objects && blessed($in) && reftype($in) eq 'ARRAY')) |
149
|
|
|
|
|
|
|
{ |
150
|
1
|
|
|
|
|
5
|
$in->[$_] = _encode($in->[$_]) for (0..$#$in); |
151
|
|
|
|
|
|
|
} elsif (ref $in eq 'HASH' |
152
|
|
|
|
|
|
|
or ($traverse_objects && blessed($in) && reftype($in) eq 'HASH')) |
153
|
|
|
|
|
|
|
{ |
154
|
43
|
|
|
|
|
131
|
while (my($k,$v) = each %$in) { |
155
|
223
|
100
|
66
|
|
|
3957
|
next if defined $exclude_pattern |
156
|
|
|
|
|
|
|
&& $k =~ $exclude_pattern; |
157
|
222
|
|
|
|
|
387
|
$in->{$k} = _encode($v); |
158
|
|
|
|
|
|
|
} |
159
|
|
|
|
|
|
|
} |
160
|
|
|
|
|
|
|
|
161
|
51
|
|
|
|
|
444
|
return $in; |
162
|
|
|
|
|
|
|
} |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
=head1 SEE ALSO |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
L |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
L |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
L |
172
|
|
|
|
|
|
|
|
173
|
|
|
|
|
|
|
|
174
|
|
|
|
|
|
|
|
175
|
|
|
|
|
|
|
=head1 AUTHOR |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
David Precious, C<< >> |
178
|
|
|
|
|
|
|
|
179
|
|
|
|
|
|
|
=head1 ACKNOWLEDGEMENTS |
180
|
|
|
|
|
|
|
|
181
|
|
|
|
|
|
|
Tom Rathborne C<< >> |
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
|
184
|
|
|
|
|
|
|
=head1 LICENSE AND COPYRIGHT |
185
|
|
|
|
|
|
|
|
186
|
|
|
|
|
|
|
Copyright 2011 David Precious. |
187
|
|
|
|
|
|
|
|
188
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify it |
189
|
|
|
|
|
|
|
under the terms of either: the GNU General Public License as published |
190
|
|
|
|
|
|
|
by the Free Software Foundation; or the Artistic License. |
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
See http://dev.perl.org/licenses/ for more information. |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
=cut |
196
|
|
|
|
|
|
|
|
197
|
|
|
|
|
|
|
register_plugin; |
198
|
|
|
|
|
|
|
1; # End of Dancer::Plugin::EscapeHTML |