Permalink
Browse files

username, real_name, email cannot be used for XSS attacks.

  • Loading branch information...
perlDreamer committed Aug 7, 2017
1 parent 0e549bd commit 2b1ef0e10289278984215be92fd17b75292e81ed
Showing with 27 additions and 0 deletions.
  1. +17 −0 bin/util/remove_html_from_users.pl
  2. +10 −0 lib/Wing/Role/Result/User.pm
@@ -0,0 +1,17 @@
#!/usr/bin/env perl
use lib $ENV{WING_APP}.'/lib', '/data/Wing/lib';
use Wing::Perl;
use Wing;
my $users = Wing->db->resultset('User')->search();
while (my $user = $users->next) {
$user->username($user->username);
$user->real_name($user->real_name);
$user->email($user->email);
$user->update;
}
say "Finished with users";
@@ -14,6 +14,7 @@ with 'Wing::Role::Result::Field';
with 'Wing::Role::Result::DateTimeField';
with 'Wing::Role::Result::PrivilegeField';
with 'Wing::Role::Result::Child';
use Wing::ContentFilter;
=head1 NAME
@@ -90,23 +91,32 @@ A relationship to a L<Wing::Role::Result::APIKeyPermmission> enabled object.
=cut
sub fix_html {
my $text = shift;
Wing::ContentFilter::neutralize_html(\$text);
return $text;
}
before wing_finalize_class => sub {
my ($class) = @_;
$class->wing_fields(
username => {
dbic => { data_type => 'varchar', size => 30, is_nullable => 0 },
view => 'private',
edit => 'unique',
filter => sub { Wing::ContentFilter::neutralize_html(\$_[0], {entities=>1},); return $_[0]; },
},
real_name => {
dbic => { data_type => 'varchar', size => 255, is_nullable => 1, default_value => '' },
view => 'private',
edit => 'postable',
filter => sub { Wing::ContentFilter::neutralize_html(\$_[0], {entities=>1},); return $_[0]; },
},
email => {
dbic => { data_type => 'varchar', size => 255, is_nullable => 1 },
view => 'private',
edit => 'unique',
filter => sub { Wing::ContentFilter::neutralize_html(\$_[0]); return $_[0]; },
},
use_as_display_name => {
dbic => { data_type => 'varchar', size => 10, is_nullable => 1, default_value => 'username' },

0 comments on commit 2b1ef0e

Please sign in to comment.