Quickly sanitanize inputs of registration form

c332f7a9 · Timothée Floure · 04168253 · c332f7a9 · c332f7a9
Commit c332f7a9 authored Feb 21, 2020 by Timothée Floure
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 30 deletions

Makefile.PL Makefile.PL +20 -19

lib/MemberManagement/Web/Member.pm lib/MemberManagement/Web/Member.pm +12 -11

No files found.
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -17,25 +17,26 @@ WriteMakefile(
      : ()),
    PL_FILES            => {},
    PREREQ_PM => {
-        'Dancer'                       => 1.3132,
-        'Dancer::Session::Cookie'      => 0,
-        'Dancer::Plugin::FlashMessage' => 0,
-        'DBI'                          => 0,
-        'DBD::SQLite'                  => 0,
-        'Email::Simple'                => 0,
-        'Email::Sender'                => 0,
-        'Email::Valid'                 => 0,
-        'JSON'                         => 0,
-        'Mail::Sender'                 => 0,
-        'Net::LDAP'                    => 0,
-        'Plack::Test'                  => 0,
-        'Template'                     => 0,
-        'Test::More'                   => 0,
-        'URI'                          => 0,
-        'YAML'                         => 0,
-        'List::Pairwise'               => 0,
-        'Package::Alias'               => 0,
-        'REST::Client'                 => 0,
+        'Dancer'                        => 1.3132,
+        'Dancer::Session::Cookie'       => 0,
+        'Dancer::Plugin::FlashMessage'  => 0,
+        'Dancer::Plugin::EscapeHTML'    => 0,
+        'DBI'                           => 0,
+        'DBD::SQLite'                   => 0,
+        'Email::Simple'                 => 0,
+        'Email::Sender'                 => 0,
+        'Email::Valid'                  => 0,
+        'JSON'                          => 0,
+        'Mail::Sender'                  => 0,
+        'Net::LDAP'                     => 0,
+        'Plack::Test'                   => 0,
+        'Template'                      => 0,
+        'Test::More'                    => 0,
+        'URI'                           => 0,
+        'YAML'                          => 0,
+        'List::Pairwise'                => 0,
+        'Package::Alias'                => 0,
+        'REST::Client'                  => 0,
    },
    dist                => { COMPRESS => 'gzip -9f', SUFFIX => 'gz', },
    clean               => { FILES => 'Unipoly-MemberManagement-*' },

--- a/lib/MemberManagement/Web/Member.pm
+++ b/lib/MemberManagement/Web/Member.pm
 package MemberManagement::Web::Member;
+use Dancer::Plugin::EscapeHTML;
 use warnings;
 use strict;

@@ -56,20 +57,20 @@ post '/register' => sub {
 	}

 	my $req = RegistrationRequest->create(
-		params->{username},
-		params->{first_name},
-		params->{last_name},
-		params->{common_name},
-		params->{mobile},
-		params->{mail},
-		params->{affiliation},
-		$selected_mailing_lists,
-		params->{how_unipoly},
-		params->{note},
+		escape_html params->{username},
+		escape_html params->{first_name},
+		escape_html params->{last_name},
+		escape_html params->{common_name},
+		escape_html params->{mobile},
+		escape_html params->{mail},
+		escape_html params->{affiliation},
+		escape_html $selected_mailing_lists,
+		escape_html params->{how_unipoly},
+		escape_html params->{note},
 	);

 	if (defined $req) {
-		flash message => "Registration request for " . params->{username} . " saved.";
+		flash message => "Registration request for " . escape_html(params->{username}) . " saved.";

 		my $mail_sent = eval {
 			Mailer::send_registration_confirmation(