Can any justification be offered for the default set of escaped
("unsafe") characters in URI::Escape? (The set is:
[\x00-\x20"#%;<>?{}|\\^~`\[\]\x7F-\xFF] ) This is not (AFAIK) one
of the sets specified in any standard, nor does it seem to me a
useful set. When, for example, would you wish to escape '?' but not
'&'?
I fear that many people are writing fragile code like
$qs .= '&foo=' . uri_escape($value);
Not realizing that (eg) a '&' in $value will not be escaped, thus
corrupting their query string.
I think that the default uri_escape should aggressively escape all
(standard specified) unsafe and reserved URI characters. If it
escapes too much in a particular case, the failure will be
immediately discovered, and the code change is obvious. If it
escapes too little, nobody notices until someone enters funny data
six months later and everything breaks.
If there is some justification, can it be added to the
documentation, ideally along with some explanation of the pitfalls?
Andrew
PS. I know you may argue that people should use higher-level
modules for constructing URIs, but for many reasons not all will.
Also, URI::Escape documentation doesn't suggest this.
