>>>>> "Andrew" == Andrew Pimlott <[EMAIL PROTECTED]> writes:
Andrew> If there is some justification, can it be added to the
Andrew> documentation, ideally along with some explanation of the pitfalls?
Well, the right answer is to use URI to make a query_form, which
seems to have its own set of escaped items (from URI::_query...)
$key =~ s/([;\/?:@&=+,\$%])/$URI::Escape::escapes{$1}/g;
...
$val =~ s/([;\/?:@&=+,\$%])/$URI::Escape::escapes{$1}/g;
As for things that are illegal in a URI that must be escaped, I think
the list that URI::Escape uses is correct. Obviously, & is legal in a
URI. But ? is not, because that starts the query string. Think of
URI::Escape as the way to transform a filename on a Unix system (which
can be arbitrarily weird) into a URL that can be used to fetch that
resource. If it has & in the name, you can leave that alone. If it
has ? in the name, however, we must escape that. And that's exactly
right.
The problem with all this escaping is that it *is* a bit confusing.
You have three kinds of mappings, some of which use similar
characters: query forms, HTML, and URL characters.
For example, most people don't understand that to construct a <a
href="blah">link</a>, you have to both URI-escape the source data to
get to blah (or construct a query form if needed), *then* HTML-escape
it before sending it to the browser. Yes. Two levels. Whee.
So, anybody you see writing the code you originally quoted should
merely be shot. I don't think it helps to support WRONG practices,
especially if it might break CORRECT practices.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
