On Sat, 26 Sep 2020 at 16:37, Sam Ruby <[email protected]> wrote:
>
> On Sat, Sep 26, 2020 at 10:55 AM sebb <[email protected]> wrote:
> >
> > The URI.escape method is deprecated, and should be replaced.
> >
> > However, I'm not sure it's actually needed for Wunderbar code.
> >
> > For example, posted-reports.json.rb has
> >
> > _link THREAD + URI.escape('<' + mail.message_id + '>')
> >
> > However surely Wunderbar _json handles any necessary escaping?
> >
> > And posted-reports.cgi has:
> > href = THREAD + URI.escape('<' + mail.message_id + '>')
> > ...
> > _a mail.subject, href: href
> >
> > Again, I would expect Wunderbar to do the necessary.
>
> Wunderbar would need a way to know if the href was already escaped.
I've just checked, and it does do some escaping:
$ ruby -rwunderbar -e'_html {x="<[email protected]>"; y="&"; _h3 x ; _a y, href: x }'
gives the following body:
<h3><[email protected]></h3>
<a href="<[email protected]>">&</a>
This suggests that Wunderbar expects unescaped input?
> - Sam Ruby
