in reply to XSS protection in CGI::Application

The way I'd solve this is to explicitly catch an unknown mode via:

my $self = shift; $self->run_modes( # default 'index' => 'index', # user's tag cloud 'tag_cloud' => 'tag_cloud', 'edit_tags' => 'edit_tags', 'tag_find' => 'tag_find', .. # called on unknown mode. 'AUTOLOAD' => 'unknown_mode', );

In your unknown mode you can then handle it as you wish - without echoing the mode back to the client and potentially allowing an XSS attack.

My own method is generally:

sub unknown_mode { my ( $self, $requested ) = (@_); my $q = $self->query(); my $session = $self->param('session'); my $username = $session->param('logged_in'); $requested = HTML::Entities::encode_entities($requested); if ( defined($username) && length($username) ) { return "<p>unknown mode '$requested' for logged in user $usern +ame</p>"; } else { return "<p>Unknown mode '$requested' for anonymous user.</p>"; } }

Obviously the username section is specific to the sites I design .. but the idea of handling the unknown mode yourself should be simple enough to understand?