Tag Archives: catalyst

Catalyst auto HTML/XSS scrubbing

At work, we needed to implement some HTML scrubbing and XSS protection across a Perl Catalyst-powered API, so went looking for existing solutions. We found Catalyst::Plugin::HTML::Scrubber which did some of what we needed, but did not scrub within encoded PUT/POST bodies e.g. POSTed JSON.

I implemented some improvements to provide this, but sadly the original author could not be reached – it seems he hasn’t been active in the Perl community for quite some time. With a little help from the CPAN admins (thanks!) I obtained maintainership of it, and have since got a couple of releases out which add the features we needed:

  • scrubbing HTML/XSS attempts within both normal parameters (querystring / POSTed forms) and also recursively within PUTted/POSTed JSON etc
  • the ability to whitelist certain parameters by name or regex to exclude them from scrubbing – we have some admin-only areas where staff can enter “message of the day” content which is allowed to contain HTML
  • a “no encode HTML entities” option to undo HTML::Scrubber‘s automatic HTML entity encoding of e.g. angle brackets – whilst content destined for the browser wants to be HTML-encoded, inbound parameters don’t want that, we just want HTML /XSS attempts stripped, a parameter value like >= 5 should be left alone

The amended version can be found on CPAN – Catalyst::Plugin::HTML::Scrubber.

(Aside: yes, it has been, er, quite some time since I posted anything on this blog.)

Book Review: “Catalyst (Accelerating Perl Web Application Development)” by Johnathan Rockway

Catalyst is a web framework for Perl, which claims to "make web development something you had never expected it to be: Fun, rewarding and quick&quot.

I’m a professional Perl developer, but hadn’t tried Catalyst – it was one of the things I really wanted to try out but didn’t get round to it. Recently I obtained a copy of Johnathan Rockway’s book, Catalyst (Accelerating Perl Web Application Development) from PACKT publishing, so here’s a review of the book.

Johnathan is a member of the core Catalyst development team and certainly knows his stuff, so that lends credence to this book.

My first impression was that the book is somewhat thin at 187 pages for its £24.99 ($39.99 USD) cover price.

However, reading through the book, it covers Catalyst and some of the modules commonly used with Catalyst in just the right amount of detail – if you have some experience with Perl already, this book will give you just what you need to get using Catalyst with the minimum of fuss. The also covers various related tasks you’ll want to do when developing web apps with Catalyst, including:

  • using Template::Toolkit to generate output
  • object-relational mapping with DBIx::Class
  • generating forms automatically with FormBuilder
  • authentication and authorisation
  • session management
  • adding REST APIs, AJAX interactivity and RSS feeds

So, overall, I’d say it’s a quite good book, a perfect introduction to developing maintainable web applications using Catalyst, and using current best practices including MVC designs and ORM database access. However, one thing I felt wasn’t covered very well was Perl’s attributes which are used in many code examples – that’s one area of Perl that I haven’t really made any use of up until now. (The perldoc page does warn that "attribute declarations for variables are still evoving. The semantics and interfaces of such declarations could change in future versions. They are present for purposes of experimentation with what the semantics ought to be. Do not rely on the current implementation of this feature."). The book fails to really describe attributes at all (which I suspect is something a fair number of Perl developers won’t be familiar with). It also doesn’t explain the principles behind MVC design; I guess it’s a reasonable assumption that anyone planning to use Catalyst will probably already be fairly familiar with MVC principles, but a better introduction (perhaps with pointers to external reading for those needing to learn more first) wouldn’t have hurt.

Also, unfortunately the book is marred by several typos – it exudes a feel of perhaps being rushed out a little, without enough time being spent on editing. I don’t feel it detracts badly from the book, but is a little shoddy.

Despite the flaws, I still feel it’s a useful book to help get to grips with Catalyst.

Grab yourself a copy from Amazon (price at time of writing: £23.74), or buy it direct from Packt for £22.49.