On 9/12/05, Dave Howorth <[EMAIL PROTECTED]> wrote: > David Baird wrote: > > On 9/12/05, Dave Howorth <[EMAIL PROTECTED]> wrote: > >>The link is generated using this code from the macros template: > >> > >> MACRO link(table, command, additional, label) BLOCK; > >> SET lnk = base _ "/" _ table _ "/" _ command _ "/" _ additional; > >> lnk = lnk | uri | html; > >> '<a href="' _ lnk _ '">'; > >> label; > >> "</a>"; > >> END; > >> > >>Clearly the uri filter can't encode an =, because then it would also > >>encode the equal that separates the field name from the value. > > > > If this is true, then I'd suggest that's a bug in the uri filter. It > > should be able to recognise that foo=baz=fuzz is a single key/value > > pair, just by keeping track of how many ='s have been seen. > > Don't think it's a 'bug', maybe a lack of features. The uri filter does > pretty simple-minded character substitution, whilst full URI parsing and > encoding is a scheme-specific nightmare as far as I can see. And since > schemes are open-ended. it's not tractable in the general case. > > > Using both a URI and HTML filter is surely wrong. The link macro is > > building a URL at that point, it should only be URI escaping. The > > thing that should be HTML-escaped is the label. > > No, you also need to HTML encode a link that is going to appear in an > HTML page. For example, a '<' character that appears in the href needs > encoding (and one appears in my search query text, right next to the =, > as it happens :)
Right, I get it. But then it seems to me that the link macro is attempting to do the right thing, at the right place, and it's the failure of the uri filter in this case that's the problem. Making everyone escape everything they send to the link macro is a pretty large inconvenience. Later... Just been playing with URI::Escape. I always thought you supplied it a complete URI, and it gave you back the encoded version. But it looks like you're expected to encode each key and value individually, then join them together afterwards. 9 times out of 10, it's probably fine to escape the whole thing, unless you have reserved characters (like =) in your data. > mean. Remember the 'escape functions' are TT built-ins. But I don't > think that's the issue. It's pretty clear to me that its broken. The > only question in my mind is what is the best fix? Maypole::Plugin::LinkTools currently doesn't do any escaping, so that needs fixed. How about if it accepted an arrayref or hashref (as well as a plain string) for 'additional', and then it uri + html escaped each component individually before constructing the link? Arrayref becomes additional components to the path, hashref becomes a query string. d. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Maypole-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/maypole-users
