Clone references before escaping?

[bigpresh]

As originally discovered in http://www.backup-manager.org/pipermail/dancer-users/2012-April/002424.html :

When automatic_escaping is enabled, we recursively encode HTML entities in template params, following references.

Since the app's settings are automatically passed to the template by Dancer::Template::Abstract, stored as a reference to the real settings hashref, we can inadvertently go HTML-encoding stuff in the app's actual settings.

A partial fix is for Dancer to clone the settings rather than storing an actual reference, but of course that still means the problem can occur in other cases.

For example:

get '/' => sub {
    my $foo = { foo => '<Foo>' };
    my $html = template 'bar', { foo => $foo };
    # $foo->{foo} has been changed to &lt;Foo&gt;
};

Probably a safer fix is for _encode to automatically clone any reference it's about to change before making changes. This would need some refactoring in _encode to assume that it's starting with a hashref (which it will be) and to pass on both the key and the value each time, rather than simply passing the reference to the value when recursing.

[jwittkoski]

Instead of cloning, perhaps _encode should simply by default skip the tokens that Dancer adds automatically?

Then document that:

• The plugin will modify the values passed in (if escaping occurs)
• The user should pass in a clone of references they don't want modified
• If the user has anything in the auto-tokens that needs escaping, pass them in a separate token

Cloning all tokens for every request seems overkill since in most (?) situations the auto-tokens won't have HTML in them anyway.

I am mostly passing in scalars or arrays of scalars as tokens, but don't want the auto-tokens escaped at all, so for now I am just adding the auto-tokens to the exclude_pattern:

plugins:
  EscapeHTML:
    automatic_escaping: 1
    exclude_pattern: '^request$|^vars$|^settings$|^params$|^session$|^perl_version$|^dancer_version$|_html$'