Re: [Mason] Cleaning arguments before they are handed to components...

[Nic Wolff]

You can add a class to the ApacheHandler's "plugins" arrayref, for example

sub handler {
        my $r = shift;  # Apache2::RequestRec object;
        my $ah = HTML::Mason::ApacheHandler->new(
                plugins => [ 'MasonX::Plugin::CheckARGS' ]
        );
        return $ah->handle_request($r);
}

where MasonX::Plugin::CheckARGS is in @INC and contains something like

package MasonX::Plugin:: CheckARGS;
use base qw(HTML::Mason::Plugin);

sub start_request_hook {
        my ( $self, $context ) = @_;

        my $args_ref = $context->args();
        for my $arg ( @{$args_ref} ) {
                # Do something to each $arg, for example:
                utf8::is_utf8($arg) || utf8::decode($arg);
        }
        return;
}

1;


On 6 Jun 2011, at 4:42 PM, Shane McCarron wrote:
> I had a user report that, in some circumstances, it is possible to supply
> weird parameters on a request to my Mason app and inject random HTML into my
> pages.
> 
> Now, obviously I should be examining all parameters as they are passed in,
> and I should be escaping them if I just print them out (via |h).  But I am
> not.  And there are hundreds of pages.  So I was wondering.... is there a
> way to have my master autohandler examine the ARGS hash and clean out
> anything nasty?   I don't seem to be able to modify the values in %ARGS in a
> way that makes those modifications available globally...  Any ideas?  Or,
> better yet, is there some option that I can just enable that would do magic
> CGI parameter cleaning?
> 
> -- 
> Shane McCarron
> halindr...@gmail.com
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Discover what all the cheering's about.
> Get your free trial download today. 
> http://p.sf.net/sfu/quest-dev2dev2 
> _______________________________________________
> Mason-users mailing list
> Mason-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mason-users


------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users