optionally allow signed cookies, escape token injected into html

[mtths]

still needs tests, trying to wrap my head around that now

[mtths]

didn't quite get the hang of the tests yet, but upon reviewing the patch i found it more sensible to uri_escape the token instead of entity-encoding it (line 161). what do you think?

[chizmw]

Oops, I didn't see your extra comment before merging the pull request.
It did take me quite some time to work out how to even begin testing this module. It's not as good as it could be, but it's passable.

[mtths]

mostly against MITM attacks, where the attacker modifies the cookie and the submitted token.
e.g. attacker resets token and cookie as

"><svg/onload=prompt(document.domain)>

without the patch that triggers xss in the resulting html, and the cookie validates just fine.
with the patch (and secret set to a defined value) the tampering is detected and "invalid signature" is served

[chizmw]

Oh, yes. Very nice!
I think that HTML::Escape::escape_html() is the right choice here, no?
It appears to do what's needed, seems reasonably up to date, and appears to be at least "fast enough".

[chizmw]

Just pushed to PAUSE as 0.0.9. Should filter out over the next few hours.