summaryrefslogtreecommitdiffstats
path: root/lib/Jaos/WebApp/Plugin/CleanParams.pm
blob: 749382d632c3369f13504d0dd35537b8df69669f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package Jaos::WebApp::Plugin::CleanParams;
use strict;
use warnings;

sub encode_html {
    my $str = shift;
    $str =~ s/&/&/g;
    $str =~ s/>/>/g;
    $str =~ s/</&lt;/g;
    $str =~ s/"/&quot;/g;
    $str =~ s/'/&#39;/g;
    return $str;
}

sub register 
{
  my ($self, $app, $conditions) = @_;

  my $discard_unknown = $conditions->{discard_unknown} || 0;
  my $valid = $conditions->{params} || {};

  $app->add_run_hook(
    pre_dispatch => sub {
      my ($ctx) = @_;

      # check parameters if we have them
      if (my $params = $ctx->req->parameters) {
        my @keys   = $params->keys;

        for my $key (@keys) {
          my @cleaned;
          my $validation = $valid->{$key};

          # if we have a rule for this parameter and are not discarding unkown
          if ($validation || !$discard_unknown) {
            my @values = $params->get_all($key);

            # validate each value for the param
            for my $value (@values) {
              # verify validation 
              if ($validation) {
                if (ref $validation eq 'Regexp') {
                  unless ($value =~ $validation) {
                    $app->log->error("discarding $key as $value != $validation");
                    next;
                  }
                } else {
                  unless ($value eq $validation) {
                    $app->log->error("discarding $key as $value != $validation");
                    next;
                  }
                }
              }
              push @cleaned, encode_html($value);
            }

          } else { 
            $app->log->error("discarding unknown parameter: $key");
          }

          # reset param with any validated values
          $params->remove($key);
          $params->add($key, @cleaned) if @cleaned;
        }

      }

    }
  );


}

=head1 NAME

Jaos::WebApp::Plugin::CleanParams - parameter cleaning and validation

=head1 SYNOPSIS

 package MyApp;

  sub startup
  {
    my $app = shift;
    my $validation = { id => qr/^\d+$/, name => qr/^\w+$/, app_key => $mysecret };
    $app->load_plugin('Jaos::WebApp::Plugin::CleanParams', { discard_unknown => 1, params => $validation);
  }

 1;

=head1 DESCRIPTION

Jaos::WebApp::Plugin::CleanParams is a simple plugin that HTML encodes each parameter.

Optionally, a hashref can be passed that defines a params key to a hashref of names and patterns/strings to validate against.  If 'discard_unknown' is set, anything not listed in params is discarded.

=head1 METHODS

=head2 register

register adds callbacks to the pre_dispatch and post_dispatch hooks.  Each callback is passed the application object.

=head1 AUTHOR

Jason Woodward <woodwardj@jaos.org>

=head1 LICENSE

Copyright (C) 2010-2011 Jason Woodward
All rights reserved

This library is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this library.  If not, see <http://www.gnu.org/licenses/>.

=cut

1;