* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-20 17:55]:
> Aristotle Pagaltzis <[EMAIL PROTECTED]> wrote on 08/19/2008 04:39:55 PM:
> > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-08-19 21:55]:
> > > $c->response->headers->header('Content-disposition:' => "attachment;
> > > filename=$filename" );
> >
> > You forgot
> >
> > $filename =~ s!"!\\"!g;
>
> Yes, I usually sanitize and escape outside of that block --
> good catch.
I prefer to do this kind of encode/decode stuff at the boundaries
of the code. It is hard to keep track of how the data is encoded
and who is responsible for what kind of transformation at what
time when you don’t do it that way. The particular case of these
filenames is probably not too difficult because you probably
aren’t going to be doing a whole lot with them anyway, but still,
I prefer to push encoding and decoding to the boundaries as a
general principle so I can never forget to take it into account
in the middle of the system.
PS.: I missed the fact that that should of course also be
accompanied by always quoting the filename (which presumably in
your own code is also happening elsewhere):
$filename =~ s!"!\\"!g;
$c->res->header( 'Content-Disposition' => qq[attachment;
filename="$filename"] );
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
