The way I'd solve this is to explicitly catch an unknown mode via:
my $self = shift;
$self->run_modes(
# default
'index' => 'index',
# user's tag cloud
'tag_cloud' => 'tag_cloud',
'edit_tags' => 'edit_tags',
'tag_find' => 'tag_find',
..
# called on unknown mode.
'AUTOLOAD' => 'unknown_mode',
);
In your unknown mode you can then handle it as you wish - without echoing the mode back to the client and potentially allowing an XSS attack.
My own method is generally:
sub unknown_mode
{
my ( $self, $requested ) = (@_);
my $q = $self->query();
my $session = $self->param('session');
my $username = $session->param('logged_in');
$requested = HTML::Entities::encode_entities($requested);
if ( defined($username) && length($username) )
{
return "<p>unknown mode '$requested' for logged in user $usern
+ame</p>";
}
else
{
return "<p>Unknown mode '$requested' for anonymous user.</p>";
}
}
Obviously the username section is specific to the sites I design .. but the idea of handling the unknown mode yourself should be simple enough to understand?
