Randal L. Schwartz wrote:
Josh> The browser should handle this fine if you just encode the html entities.
Josh> If it's in an input you will have:
Josh> <input value="face of "fred".gif"> and the browser should Josh> take care of uri encoding.
Oh, you mean you think it's OK to send garbage (illegal according to the RFCs), and count on the error-correcting features of a browser to work properly when you've sent out garbage.
OK, I'll just ignore the garbage I'm getting from you then, and correct
the errors for the other readers of this list who believe in doing
things according to the specs.
How about this as a better example to make your point, Randal?
face of fred?.gif
;)
Oh wait, even better example:
face of "fred&bill?" ;).gif
Of course, I can't find any set of built-in filters that escapes either of them correctly. *grin*
http://hostile.org/images/face%20of%20%22fred%3F%22.gif http://hostile.org/images/face%20of%20%22fred%26bill%3F%22%20%3B).gif
Still, more filtering is better... always.
Hmm, I retract my initial email. Some reason I kept thinking of only form inputs, when the original question was about an <img src> html tag. I believe it is correct in this case to always url encode any items in the url that could contain special characters. Sorry for getting you guys all riled up.
-- Josh
_______________________________________________ templates mailing list [email protected] http://lists.template-toolkit.org/mailman/listinfo/templates
