Re: [Catalyst] Escaping of argument of private path
From: John M. Dlugosz wxju46g...@snkmail.com On 3/15/2011 4:56 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to home| wrote: uri_for() escapes only the chars which are not in the following list (from URI.pm): $reserved = q(;/?:@=+$,[]); $mark = q(-_.!~*'());#'; emacs $unreserved = A-Za-z0-9\Q$mark\E; The char is a valid char in the URI, so it should not be escaped.. With other words, the following url is OK: http://localhost/dir1/dir2/ham%20%20eggs.jpg uri_for() generates the URI as it needs to be accessed on the server and not as it should be printed in an HTML page. In order to be printed correctly, the char must be HTML-encoded, so the html TT filter must be used: a href=[% c.uri_for('/path', 'eggs ham.jpg', {a=1, b=2}).path_query | html%]label/a It will give: a href=/path/eggs%20amp;%20ham.jpg?a=1amp;b=2label/a In contrast, the 'uri' filter in TT converting any characters outside of the permitted URI character set (as defined by RFC 2396) and that includes ||, |@|, |/|, |;|, |:|, |=|, |+|, |?| and |$|. The 'url' filter in TT is less aggressive, and does not include those. Those chars are not permitted in query strings but they are permitted in URLS. The ?, , =, +, ; signs are used for separating the path and the query string, to delimit the query string parts, to represent a space char... They can be also used in names of the files in path. For example, the following URL is valid: http://localhost/static/a%20%20@%20;%20$%20+%20=.txt If you want, you can escape these chars everywhere, not only in the query strings, but why would you want to do this? The '' is a Reserved Character according to §2.2 of RFC 2396. That is what the code sample you quoted notes: the set of reserved characters. They may have specific meanings as delimiters within the overall URI, so should be escaped. Just skimming, I see that it's reserved within the query component. Yes, but uri_for() escapes them in the query components (where they need to be escaped). For example: [% file = 'a+b = c $î @â'; a = 'a+b = c $î @â'; b= 'a+b = c $î @â' %] a href=[% c.uri_for('/path', file, {a=a, b=b}).path_query %]label/a will display: a href=/path/a+b%20=%20c%20%20$%C3%AE%20@%C3%A2?a=a%2Bb+%3D+c+%26+%24%C3%AE+%40%C3%A2b=a%2Bb+%3D+c+%26+%24%C3%AE+%40%C3%A2label/a Note that I didn't html-encoded the URL for beeing easier to see the result. As you may see, the reserved chars are escaped by uri_for() only where they need to be escaped. And of course, if you need to print this URL in an HTML document, you can add the TT html filter and the chars will be displayed as amp;. Anyway, using the TT 'uri' filter on the dynamic path component means I don't have to use the html filter also! Why would you like to need to escape every path component by using the TT uri filter for more times and escape the reserved chars even where they can be used as they are, instead of using the html filter once? If you want, you can uri-escape even the [a-zA-Z0-9] chars, but why would you want to escape chars where they don't need to be escaped? :-) Octavian ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
On 3/16/2011 2:02 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to home| wrote: Why would you like to need to escape every path component by using the TT uri filter for more times and escape the reserved chars even where they can be used as they are, instead of using the html filter once? If you want, you can uri-escape even the [a-zA-Z0-9] chars, but why would you want to escape chars where they don't need to be escaped? :-) Octavian Only the component that is dynamic (not chosen when I created the program) needs any kind of processing. These are actual file names found in some directory. What I really want is a call to escape anything that would cause problems, for whatever reason as one step. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
From: John M. Dlugosz wxju46g...@snkmail.com Consider this TT fragment: [% fname = rec.filename | uri %] img src=[% c.uri_for(${directory}/${fname}) %] alt=photo / There is no reason to suppose that the filename following URL naming conventions, and may be something like ham eggs.jpeg. This in fact works as written, but I'm wondering if it's quite correct. In fact, I'm surprised that uri_for doesn't do this for me! I pass in a file name and get a URL back, right? Munging the file name first doesn't make sense since that's no longer the file name and won't work in a call to Open, for example. But escaping each component, and not the component delimiters, after getting the perported uri back would be much more work. This should be simpler. What am I missing? uri_for() escapes each component, but I guess that it doesn't escape it if it contains a slash in it. For example, you can do: img src=[% c.uri_for('/static', 'ham and eggs.jpg').path %] It will print: img src=/static/ham%20and%20eggs.jpg Octavian ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
On 3/15/2011 1:38 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to home| wrote: uri_for() escapes each component, but I guess that it doesn't escape it if it contains a slash in it. For example, you can do: img src=[% c.uri_for('/static', 'ham and eggs.jpg').path %] It will print: img src=/static/ham%20and%20eggs.jpg Octavian I see... it wants you to pass separate arguments rather than building the path first. I was thinking that uri_for might be more trouble than it's worth since I don't like fully-qualified URLs in my generated source anyway. But if it escapes (sometimes?) then that is indeed more helpful. img src=[% c.uri_for(/static/gallery,rec.dirname,rec.filename) %] alt=photo / That works (using Smart_URI settings to leave off the host). But it did not escape out the '' in the filename! Is that a bug? I notice you changes my example from '' to 'and' -- that's cheating! img src=[% /static/gallery/${rec.dirname}/${ rec.filename | uri } %] alt=photo / gives the correct answer: ham%20%26%20eggs.jpeg ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
From: John M. Dlugosz wxju46g...@snkmail.com On 3/15/2011 1:38 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to home| wrote: uri_for() escapes each component, but I guess that it doesn't escape it if it contains a slash in it. For example, you can do: img src=[% c.uri_for('/static', 'ham and eggs.jpg').path %] It will print: img src=/static/ham%20and%20eggs.jpg Octavian I see... it wants you to pass separate arguments rather than building the path first. It just gets the path and the list of arguments, but it escapes the special characters only in the arguments, not the path. I was thinking that uri_for might be more trouble than it's worth since I don't like fully-qualified URLs in my generated source anyway. But if it escapes (sometimes?) then that is indeed more helpful. You don't need to use fully-qualified URLS if you don't like, even though it doesn't matter because they are dynamicly generated anyway. uri_for() returns a URI object, so you can use: c.uri_for(...).path This will return only the path, without the scheme, host and port. or: c.uri_for(...).path_query ...if the URL also contains a query string (?a=bc=d) img src=[% c.uri_for(/static/gallery,rec.dirname,rec.filename) %] alt=photo / That works (using Smart_URI settings to leave off the host). But it did not escape out the '' in the filename! Is that a bug? I notice you changes my example from '' to 'and' -- that's cheating! :-) img src=[% /static/gallery/${rec.dirname}/${ rec.filename | uri } %] alt=photo / gives the correct answer: ham%20%26%20eggs.jpeg uri_for() escapes only the chars which are not in the following list (from URI.pm): $reserved = q(;/?:@=+$,[]); $mark = q(-_.!~*'());#'; emacs $unreserved = A-Za-z0-9\Q$mark\E; The char is a valid char in the URI, so it should not be escaped.. With other words, the following url is OK: http://localhost/dir1/dir2/ham%20%20eggs.jpg uri_for() generates the URI as it needs to be accessed on the server and not as it should be printed in an HTML page. In order to be printed correctly, the char must be HTML-encoded, so the html TT filter must be used: a href=[% c.uri_for('/path', 'eggs ham.jpg', {a=1, b=2}).path_query | html%]label/a It will give: a href=/path/eggs%20amp;%20ham.jpg?a=1amp;b=2label/a Octavian ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Escaping of argument of private path
On 3/15/2011 4:56 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to home| wrote: uri_for() escapes only the chars which are not in the following list (from URI.pm): $reserved = q(;/?:@=+$,[]); $mark = q(-_.!~*'());#'; emacs $unreserved = A-Za-z0-9\Q$mark\E; The char is a valid char in the URI, so it should not be escaped.. With other words, the following url is OK: http://localhost/dir1/dir2/ham%20%20eggs.jpg uri_for() generates the URI as it needs to be accessed on the server and not as it should be printed in an HTML page. In order to be printed correctly, the char must be HTML-encoded, so the html TT filter must be used: a href=[% c.uri_for('/path', 'eggs ham.jpg', {a=1, b=2}).path_query | html%]label/a It will give: a href=/path/eggs%20amp;%20ham.jpg?a=1amp;b=2label/a In contrast, the 'uri' filter in TT converting any characters outside of the permitted URI character set (as defined by RFC 2396) and that includes ||, |@|, |/|, |;|, |:|, |=|, |+|, |?| and |$|. The 'url' filter in TT is less aggressive, and does not include those. The '' is a Reserved Character according to §2.2 of RFC 2396. That is what the code sample you quoted notes: the set of reserved characters. They may have specific meanings as delimiters within the overall URI, so should be escaped. Just skimming, I see that it's reserved within the query component. Anyway, using the TT 'uri' filter on the dynamic path component means I don't have to use the html filter also! ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Escaping of argument of private path
Consider this TT fragment: [% fname = rec.filename | uri %] img src=[% c.uri_for(${directory}/${fname}) %] alt=photo / There is no reason to suppose that the filename following URL naming conventions, and may be something like ham eggs.jpeg. This in fact works as written, but I'm wondering if it's quite correct. In fact, I'm surprised that uri_for doesn't do this for me! I pass in a file name and get a URL back, right? Munging the file name first doesn't make sense since that's no longer the file name and won't work in a call to Open, for example. But escaping each component, and not the component delimiters, after getting the perported uri back would be much more work. This should be simpler. What am I missing? ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/