Tag Archives: Perl

Catalyst auto HTML/XSS scrubbing

At work, we needed to implement some HTML scrubbing and XSS protection across a Perl Catalyst-powered API, so went looking for existing solutions. We found Catalyst::Plugin::HTML::Scrubber which did some of what we needed, but did not scrub within encoded PUT/POST bodies e.g. POSTed JSON.

I implemented some improvements to provide this, but sadly the original author could not be reached – it seems he hasn’t been active in the Perl community for quite some time. With a little help from the CPAN admins (thanks!) I obtained maintainership of it, and have since got a couple of releases out which add the features we needed:

  • scrubbing HTML/XSS attempts within both normal parameters (querystring / POSTed forms) and also recursively within PUTted/POSTed JSON etc
  • the ability to whitelist certain parameters by name or regex to exclude them from scrubbing – we have some admin-only areas where staff can enter “message of the day” content which is allowed to contain HTML
  • a “no encode HTML entities” option to undo HTML::Scrubber‘s automatic HTML entity encoding of e.g. angle brackets – whilst content destined for the browser wants to be HTML-encoded, inbound parameters don’t want that, we just want HTML /XSS attempts stripped, a parameter value like >= 5 should be left alone

The amended version can be found on CPAN – Catalyst::Plugin::HTML::Scrubber.

(Aside: yes, it has been, er, quite some time since I posted anything on this blog.)

DancerJukebox – music queuing Perl webapp powered by Dancer

I spent some of Friday night hacking on rewriting my music queuing webapp from Catalyst (which I wrote it in ages ago, before I discovered Dancer).

It only took a couple of hours of easy and actually fairly enjoyable coding to get it all ported over, and in the process I released two Dancer plugins – Dancer::Plugin::MPD to handle easily getting a working MPD connection, and Dancer::Plugin::DebugDump to easily dump objects and data structures to the debug log to simplify development.

This time round, the code is up on GitHub – DancerJukebox on GitHub. I never released the previous code, it was developed in a private Subversion repository, and I was never happy enough with it to release it.

The basic idea is that you fill the playlist with decent music and leave MPD playing on random. If people want to hear specific songs, they can use the web app to search for whatever they want and add them to a queue.

Continue reading DancerJukebox – music queuing Perl webapp powered by Dancer

Dancer::Plugin::Database – easy DB connections for Dancer apps

Last night I finished and released the first version of Dancer::Plugin::Database, a plugin for the Dancer web framework to provide easy database connections using the venerable DBI.

It takes the database connection details from the app config file, and provides a database keyword which will return you a connected database handle (taking care of ensuring that the DB connection is still alive, etc).

So, usage can be as simple as:

my $books = database->selectall_arrayref(
    'select * from books where author = ?', 
    { Slice => {}}, $author

(Calling database() simply returns a DBI database handle, so you can obviously do anything you can do with DBI).

Also, at the moment, if a database connection could not be established for any reason, database() will just return undef, so you will need to handle errors appropriately. After considering whether it’s wise, I may tweak it to die, so that Dancer will handle the failure with a pretty 500 error for you (in which case, I’ll make it possible to disable that via the config).

Book Review: “Catalyst (Accelerating Perl Web Application Development)” by Johnathan Rockway

Catalyst is a web framework for Perl, which claims to "make web development something you had never expected it to be: Fun, rewarding and quick&quot.

I’m a professional Perl developer, but hadn’t tried Catalyst – it was one of the things I really wanted to try out but didn’t get round to it. Recently I obtained a copy of Johnathan Rockway’s book, Catalyst (Accelerating Perl Web Application Development) from PACKT publishing, so here’s a review of the book.

Johnathan is a member of the core Catalyst development team and certainly knows his stuff, so that lends credence to this book.

My first impression was that the book is somewhat thin at 187 pages for its £24.99 ($39.99 USD) cover price.

However, reading through the book, it covers Catalyst and some of the modules commonly used with Catalyst in just the right amount of detail – if you have some experience with Perl already, this book will give you just what you need to get using Catalyst with the minimum of fuss. The also covers various related tasks you’ll want to do when developing web apps with Catalyst, including:

  • using Template::Toolkit to generate output
  • object-relational mapping with DBIx::Class
  • generating forms automatically with FormBuilder
  • authentication and authorisation
  • session management
  • adding REST APIs, AJAX interactivity and RSS feeds

So, overall, I’d say it’s a quite good book, a perfect introduction to developing maintainable web applications using Catalyst, and using current best practices including MVC designs and ORM database access. However, one thing I felt wasn’t covered very well was Perl’s attributes which are used in many code examples – that’s one area of Perl that I haven’t really made any use of up until now. (The perldoc page does warn that "attribute declarations for variables are still evoving. The semantics and interfaces of such declarations could change in future versions. They are present for purposes of experimentation with what the semantics ought to be. Do not rely on the current implementation of this feature."). The book fails to really describe attributes at all (which I suspect is something a fair number of Perl developers won’t be familiar with). It also doesn’t explain the principles behind MVC design; I guess it’s a reasonable assumption that anyone planning to use Catalyst will probably already be fairly familiar with MVC principles, but a better introduction (perhaps with pointers to external reading for those needing to learn more first) wouldn’t have hurt.

Also, unfortunately the book is marred by several typos – it exudes a feel of perhaps being rushed out a little, without enough time being spent on editing. I don’t feel it detracts badly from the book, but is a little shoddy.

Despite the flaws, I still feel it’s a useful book to help get to grips with Catalyst.

Grab yourself a copy from Amazon (price at time of writing: £23.74), or buy it direct from Packt for £22.49.

New song lyrics search site

A whistling badger

I’ve been meaning to whack up a post about this – I launched a new song lyrics search website the other day called LyricsBadger.

It uses my Lyrics::Fetcher Perl module to fetch song lyrics from a variety of sites, and remembers what it’s been asked for before so that it can present lists of artists/songs which it’s already been asked for.

I built it as a testbed for Lyrics::Fetcher and to get some experience with Template Toolkit for Perl (which absolutely rocks!). The entire site is powered by one Perl script and a handful of templates, and uses a ScriptAlias directive to pass all requests to the one script so that it can provide nice clean URLs like /lyrics/Artist/Title.

Why not go and give LyricsBadger a try?