On Tue, Dec 04, 2012 at 03:37:31PM -0800, Bill Moseley wrote: > I've always used href="[% c.uri_for( ... ) | html %]"
I can see a few issues when using ?a=b&c=d type of URL parameters[1], but this is not usually what you do with Catalyst, so let's set this aside for the moment. Your suggestion is XHTML compatible, which is good, but maybe not enough. My problem is quite simple, let's use your approach (which will avoid XHTML warnings). My template: [% v = a | url %] <p>test 1: <a href="[% c.uri_for(c.controller.action_for('object'), [ v ]) | html %]">[% a | html %]</a></p> <p>test 2: <a href="[% c.uri_for(c.controller.action_for('object'), [ a ]) | html %]">[% a | html %]</a></p> The 'a' stash variable is set as: sub toto :Global { my ($self, $c) = @_; $c->stash('a' => "a=b&c%34 '"); # ends with space apostroph } The result I get (stray HTML excerpt -- your mail client might corrupt this): <p>test 1: <a href="http://192.168.99.121:3001/directory/a=b&c%2534%20'/object">a=b&c%34 '</a></p> <p>test 2: <a href="http://192.168.99.121:3001/directory/a=b&c%34%20'/object">a=b&c%34 '</a></p> >From above: - only doing | url manually and then | html encodes the % character correctly, just doing | html after uri_for() is not enough -- funny is that the space character *is* encoded correctly by uri_for(), but not the % character. - neither of uri_for(), url or html does anything for the apostroph, which was already mentionned on the mailing-list -- I never use ' as a HTML quote anyway. Can you reproduce this with your version of Catalyst ? Maybe mine has a specific bug and I should upgrade. This is not a security problem, it's more a data passthrough issue. PS: Aristotle Pagaltzis's idea of uri_for() could be a work-around for the non-encoding of some of the dangerous characters such as %, however a more general solution should be handy, e.g. fix uri_for() ? [1] specifically if you want a to be b&c=d. Should be either encoded as ?a=b%26c=d or double-encoded as ?a=b&amp;c=d. I would prefer the former. _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/