OWASP Top Ten - A2 Cross Site Scripting (XSS) - Good/Bad - In Perl

bad.psgi

use v5.16; 

use Plack::Request; 

my $app = sub { 
    # Use Plack::Request to help parse the environment 
    my $req = Plack::Request->new(shift); 

    # Load our input 
    my $input = $req->parameters->{input}; 

    # BAD BAD BAD Display that input in the HTML page, but without 
    # validation or encoding out the possibly SCRIPT or other malicious tags 
    return [  
        200, [ 'Content-type' => 'text/html' ],  
        [  
            qq[<html><head><title>Hello</title></head>], 
            qq[<body><p>$input</p></body></html>], 
        ]  
    ];

}; 

good.psgi

use v5.16;

use HTML::Entities; 
use Plack::Request; 

my $app = sub { 
    # Use Plack::Request to help parse the environment 
    my $req = Plack::Request->new(shift); 

    # Load our input 
    my $input = $req->parameters->{input}; 

    # Validate the input to make sure there aren't any <script> tags in it  
    return [ 400, [ 'Content-type' => 'text/html' ],  
        [ 'You are naughty.' ] ] 
            unless $input =~ /^\w+$/; 

    # Prior to outputting, make sure we encode it for HTML 
    my $output = encode_entities($input);

    # Display that input in the HTML page 
    return [  
        200, [ 'Content-type' => 'text/html' ],  
        [ qq[<html><head><title>Hello</title></head>], 
          qq[<body><p>$output</p></body></html>] ]  
    ]; 
};