The fact that HTML in dumped variables in Apache::Status messes up the
output has always bugged me, and this is also a potential XSS security
issue, so here's a patch to escape the markup.
Index: lib/Apache/Status.pm
===================================================================
RCS file: /home/cvspublic/modperl-2.0/lib/Apache/Status.pm,v
retrieving revision 1.29
diff -u -r1.29 Status.pm
--- lib/Apache/Status.pm 28 Sep 2004 03:42:39 -0000 1.29
+++ lib/Apache/Status.pm 5 Oct 2004 17:47:18 -0000
@@ -363,7 +363,8 @@
}
push @retval, "\n</p>\n";
push @retval, "<pre>",
- (map "$_ = " . ($ENV{$_}||'') . "\n", sort keys %ENV), "</pre>";
+ (map "$_ = " . (esc_HTML($ENV{$_})||'') . "\n",
+ sort keys %ENV), "</pre>";
[EMAIL PROTECTED];
}
@@ -409,6 +410,7 @@
no strict 'refs';
my @retval = "<p>\nData Dump of $name $type\n</p>\n<pre>\n";
my $str = Data::Dumper->Dump([*$name{$type}], ['*'.$name]);
+ $str = esc_HTML($str);
$str =~ s/= \\/= /; #whack backwack
push @retval, $str, "\n";
push @retval, peek_link($r, $q, $name, $type);
@@ -826,6 +828,16 @@
push @m, "</table>";
return join "\n", @m, "<hr>", b_package_size_link($r, $q, $package);
+}
+
+sub esc_HTML {
+ my $str = shift;
+
+ $str =~ s/&/&/g;
+ $str =~ s/</</g;
+ $str =~ s/>/>/g;
+
+ return $str;
}
sub myconfig {
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
