note
skx
<p>The way I'd solve this is to explicitly catch an unknown mode via:</p>
<code>
my $self = shift;
$self->run_modes(
# default
'index' => 'index',
# user's tag cloud
'tag_cloud' => 'tag_cloud',
'edit_tags' => 'edit_tags',
'tag_find' => 'tag_find',
..
# called on unknown mode.
'AUTOLOAD' => 'unknown_mode',
);
</code>
<p>In your unknown mode you can then handle it as you wish - without echoing the mode back to the client and potentially allowing an XSS attack.</p>
<p>My own method is generally:</p>
<code>
sub unknown_mode
{
my ( $self, $requested ) = (@_);
my $q = $self->query();
my $session = $self->param('session');
my $username = $session->param('logged_in');
$requested = HTML::Entities::encode_entities($requested);
if ( defined($username) && length($username) )
{
return "<p>unknown mode '$requested' for logged in user $username</p>";
}
else
{
return "<p>Unknown mode '$requested' for anonymous user.</p>";
}
}
</code>
<p>Obviously the username section is specific to the sites I design .. but the idea of handling the unknown mode yourself should be simple enough to understand?</p>
<!-- Node text goes above. Div tags should contain sig only -->
<div class="pmsig"><div class="pmsig-194370">
<a href="http://www.steve.org.uk/">Steve</a><br/>
-- <br/>
</div></div>
826236
826236