Re: [Catalyst] Escaping of argument of private path
From: John M. Dlugosz wxju46g...@snkmail.com
On 3/15/2011 4:56 AM, Octavian Rasnita orasnita-at-gmail.com
|Catalyst/Allow to home| wrote:
uri_for() escapes only the chars which are not in the following list
(from URI.pm):
$reserved = q(;/?:@=+$,[]);
$mark = q(-_.!~*'());#'; emacs
$unreserved = A-Za-z0-9\Q$mark\E;
The char is a valid char in the URI, so it should not be escaped..
With other words, the following url is OK:
http://localhost/dir1/dir2/ham%20%20eggs.jpg
uri_for() generates the URI as it needs to be accessed on the server and
not as it should be printed in an HTML page. In order to be printed
correctly, the char must be HTML-encoded, so the html TT filter must
be used:
a href=[% c.uri_for('/path', 'eggs ham.jpg', {a=1, b=2}).path_query |
html%]label/a
It will give:
a href=/path/eggs%20amp;%20ham.jpg?a=1amp;b=2label/a
In contrast, the 'uri' filter in TT converting any characters outside of
the permitted URI character set (as defined by RFC 2396) and that
includes ||, |@|, |/|, |;|, |:|, |=|, |+|, |?| and |$|.
The 'url' filter in TT is less aggressive, and does not include those.
Those chars are not permitted in query strings but they are permitted in
URLS. The ?, , =, +, ; signs are used for separating the path
and the query string, to delimit the query string parts, to represent a
space char...
They can be also used in names of the files in path. For example, the
following URL is valid:
http://localhost/static/a%20%20@%20;%20$%20+%20=.txt
If you want, you can escape these chars everywhere, not only in the query
strings, but why would you want to do this?
The '' is a Reserved Character according to §2.2 of RFC 2396. That is
what the code sample you quoted notes: the set of reserved characters.
They may have specific meanings as delimiters within the overall URI, so
should be escaped. Just skimming, I see that it's reserved within the
query component.
Yes, but uri_for() escapes them in the query components (where they need to
be escaped).
For example:
[% file = 'a+b = c $î @â'; a = 'a+b = c $î @â'; b= 'a+b = c $î @â' %]
a href=[% c.uri_for('/path', file, {a=a, b=b}).path_query %]label/a
will display:
a
href=/path/a+b%20=%20c%20%20$%C3%AE%20@%C3%A2?a=a%2Bb+%3D+c+%26+%24%C3%AE+%40%C3%A2b=a%2Bb+%3D+c+%26+%24%C3%AE+%40%C3%A2label/a
Note that I didn't html-encoded the URL for beeing easier to see the result.
As you may see, the reserved chars are escaped by uri_for() only where they
need to be escaped.
And of course, if you need to print this URL in an HTML document, you can
add the TT html filter and the chars will be displayed as amp;.
Anyway, using the TT 'uri' filter on the dynamic path component means I
don't have to use the html filter also!
Why would you like to need to escape every path component by using the TT
uri filter for more times and escape the reserved chars even where they can
be used as they are, instead of using the html filter once?
If you want, you can uri-escape even the [a-zA-Z0-9] chars, but why would
you want to escape chars where they don't need to be escaped? :-)
Octavian
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
On 3/16/2011 2:02 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to home| wrote: Why would you like to need to escape every path component by using the TT uri filter for more times and escape the reserved chars even where they can be used as they are, instead of using the html filter once? If you want, you can uri-escape even the [a-zA-Z0-9] chars, but why would you want to escape chars where they don't need to be escaped? :-) Octavian Only the component that is dynamic (not chosen when I created the program) needs any kind of processing. These are actual file names found in some directory. What I really want is a call to escape anything that would cause problems, for whatever reason as one step. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
From: John M. Dlugosz wxju46g...@snkmail.com
Consider this TT fragment:
[% fname = rec.filename | uri %]
img src=[% c.uri_for(${directory}/${fname}) %] alt=photo /
There is no reason to suppose that the filename following URL naming
conventions, and may be something like ham eggs.jpeg. This in fact
works as written, but I'm wondering if it's quite correct.
In fact, I'm surprised that uri_for doesn't do this for me! I pass in a
file name and get a URL back, right? Munging the file name first doesn't
make sense since that's no longer the file name and won't work in a call
to Open, for example.
But escaping each component, and not the component delimiters, after
getting the perported uri back would be much more work. This should be
simpler. What am I missing?
uri_for() escapes each component, but I guess that it doesn't escape it if
it contains a slash in it.
For example, you can do:
img src=[% c.uri_for('/static', 'ham and eggs.jpg').path %]
It will print:
img src=/static/ham%20and%20eggs.jpg
Octavian
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
On 3/15/2011 1:38 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to
home| wrote:
uri_for() escapes each component, but I guess that it doesn't escape it if it contains a
slash in it.
For example, you can do:
img src=[% c.uri_for('/static', 'ham and eggs.jpg').path %]
It will print:
img src=/static/ham%20and%20eggs.jpg
Octavian
I see... it wants you to pass separate arguments rather than building the path
first.
I was thinking that uri_for might be more trouble than it's worth since I don't like
fully-qualified URLs in my generated source anyway. But if it escapes (sometimes?) then
that is indeed more helpful.
img src=[% c.uri_for(/static/gallery,rec.dirname,rec.filename) %] alt=photo
/
That works (using Smart_URI settings to leave off the host). But it did not escape out
the '' in the filename! Is that a bug? I notice you changes my example from '' to
'and' -- that's cheating!
img src=[% /static/gallery/${rec.dirname}/${ rec.filename | uri } %]
alt=photo /
gives the correct answer: ham%20%26%20eggs.jpeg
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
From: John M. Dlugosz wxju46g...@snkmail.com
On 3/15/2011 1:38 AM, Octavian Rasnita orasnita-at-gmail.com
|Catalyst/Allow to home| wrote:
uri_for() escapes each component, but I guess that it doesn't escape it
if it contains a slash in it.
For example, you can do:
img src=[% c.uri_for('/static', 'ham and eggs.jpg').path %]
It will print:
img src=/static/ham%20and%20eggs.jpg
Octavian
I see... it wants you to pass separate arguments rather than building the
path first.
It just gets the path and the list of arguments, but it escapes the special
characters only in the arguments, not the path.
I was thinking that uri_for might be more trouble than it's worth since I
don't like fully-qualified URLs in my generated source anyway. But if it
escapes (sometimes?) then that is indeed more helpful.
You don't need to use fully-qualified URLS if you don't like, even though it
doesn't matter because they are dynamicly generated anyway.
uri_for() returns a URI object, so you can use:
c.uri_for(...).path
This will return only the path, without the scheme, host and port.
or:
c.uri_for(...).path_query
...if the URL also contains a query string (?a=bc=d)
img src=[% c.uri_for(/static/gallery,rec.dirname,rec.filename) %]
alt=photo /
That works (using Smart_URI settings to leave off the host). But it did
not escape out the '' in the filename! Is that a bug? I notice you
changes my example from '' to 'and' -- that's cheating!
:-)
img src=[% /static/gallery/${rec.dirname}/${ rec.filename | uri } %]
alt=photo /
gives the correct answer: ham%20%26%20eggs.jpeg
uri_for() escapes only the chars which are not in the following list (from
URI.pm):
$reserved = q(;/?:@=+$,[]);
$mark = q(-_.!~*'());#'; emacs
$unreserved = A-Za-z0-9\Q$mark\E;
The char is a valid char in the URI, so it should not be escaped.. With
other words, the following url is OK:
http://localhost/dir1/dir2/ham%20%20eggs.jpg
uri_for() generates the URI as it needs to be accessed on the server and not
as it should be printed in an HTML page. In order to be printed correctly,
the char must be HTML-encoded, so the html TT filter must be used:
a href=[% c.uri_for('/path', 'eggs ham.jpg', {a=1, b=2}).path_query |
html%]label/a
It will give:
a href=/path/eggs%20amp;%20ham.jpg?a=1amp;b=2label/a
Octavian
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
On 3/15/2011 4:56 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to
home| wrote:
uri_for() escapes only the chars which are not in the following list (from
URI.pm):
$reserved = q(;/?:@=+$,[]);
$mark = q(-_.!~*'());#'; emacs
$unreserved = A-Za-z0-9\Q$mark\E;
The char is a valid char in the URI, so it should not be escaped.. With other words,
the following url is OK:
http://localhost/dir1/dir2/ham%20%20eggs.jpg
uri_for() generates the URI as it needs to be accessed on the server and not as it
should be printed in an HTML page. In order to be printed correctly, the char must
be HTML-encoded, so the html TT filter must be used:
a href=[% c.uri_for('/path', 'eggs ham.jpg', {a=1, b=2}).path_query |
html%]label/a
It will give:
a href=/path/eggs%20amp;%20ham.jpg?a=1amp;b=2label/a
In contrast, the 'uri' filter in TT converting any characters outside of the permitted
URI character set (as defined by RFC 2396) and that includes ||, |@|, |/|, |;|, |:|,
|=|, |+|, |?| and |$|.
The 'url' filter in TT is less aggressive, and does not include those.
The '' is a Reserved Character according to §2.2 of RFC 2396. That is what the code
sample you quoted notes: the set of reserved characters. They may have specific meanings
as delimiters within the overall URI, so should be escaped. Just skimming, I see that
it's reserved within the query component.
Anyway, using the TT 'uri' filter on the dynamic path component means I don't have to use
the html filter also!
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
[Catalyst] Escaping of argument of private path
Consider this TT fragment:
[% fname = rec.filename | uri %]
img src=[% c.uri_for(${directory}/${fname}) %] alt=photo /
There is no reason to suppose that the filename following URL naming conventions, and may
be something like ham eggs.jpeg. This in fact works as written, but I'm wondering if
it's quite correct.
In fact, I'm surprised that uri_for doesn't do this for me! I pass in a file name and get
a URL back, right? Munging the file name first doesn't make sense since that's no longer
the file name and won't work in a call to Open, for example.
But escaping each component, and not the component delimiters, after getting the perported
uri back would be much more work. This should be simpler. What am I missing?
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
