* Larry Leszczynski <lar...@emailplus.org> [2014-12-04 21:35]:
> On Thu, Dec 4, 2014, at 12:41 PM, Trevor Leffler wrote:
> > This is a typical use:
> >
> > <link href="[% c.uri_for('/static/css/my_style.css') | html %]"
> > rel="stylesheet">
>
> Assuming you're using Template Toolkit, you should use the "url"
> filter, not the "html" filter:
>
> <link href="[% c.uri_for('/static/css/my_style.css') | url %]"
> rel="stylesheet">
No.
First, if $c->uri_for gives you a URI which isn’t already correctly
URI-encoded, then it has a bug which should be reported. And if it does
give you correctly encoded URIs, as it should and probably does, then
re-encoding them will break any already-encoded parts.
Second, you are outputting URIs into HTML content, and URIs can contain
verbatim things that are metacharacters in HTML, such as ampersands.
Those need to be entity-escaped for HTML. If you aren’t doing that, then
you are producing broken HTML.
So what you are directing Trevor to do is broken – and not just once but
twice.
In practice, URIs that require escaping are uncommon and browsers go to
enormous lengths to understand broken HTML (and unescaped ampersands in
URIs are a very common problem), so you can go for a long time without
running these problems. But that code is still broken, and broken twice,
nonetheless.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
