Re: [Catalyst] Does uri_for() URL-escape arguments correctly ?

[Marc SCHAEFER]

On Tue, Dec 04, 2012 at 03:37:31PM -0800, Bill Moseley wrote:
> I've always used href="[% c.uri_for( ... ) | html  %]"

I can see a few issues when using ?a=b&c=d type of URL parameters[1], but
this is not usually what you do with Catalyst, so let's set this aside
for the moment. Your suggestion is XHTML compatible, which is good, but
maybe not enough.

My problem is quite simple, let's use your approach (which will avoid
XHTML warnings).

My template:

[% v = a | url %]
test 1: [% a | html %]
test 2: [% a | html %]

The 'a' stash variable is set as:

sub toto :Global {
   my ($self, $c) = @_;

   $c->stash('a' => "a=b&c%34 '"); # ends with space apostroph
}

The result I get (stray HTML excerpt -- your mail client might
corrupt this):

test 1: http://192.168.99.121:3001/directory/a=b&c%2534%20'/object">a=b&c%34
 '

test 2: http://192.168.99.121:3001/directory/a=b&c%34%20'/object">a=b&c%34
 '

>From above:

   - only doing | url manually and then | html encodes the % character
 correctly, just doing | html after uri_for() is not enough -- funny is
 that the space character *is* encoded correctly by uri_for(), but not
 the % character.

   - neither of uri_for(), url or html does anything for the apostroph, which
 was already mentionned on the mailing-list -- I never use ' as a
 HTML quote anyway.

Can you reproduce this with your version of Catalyst ?  Maybe mine has
a specific bug and I should upgrade. This is not a security problem, it's
more a data passthrough issue.

PS: Aristotle Pagaltzis's idea of uri_for() could be a work-around for the
non-encoding of some of the dangerous characters such as %, however
a more general solution should be handy, e.g. fix uri_for() ?

[1] specifically if you want a to be b&c=d. Should be either encoded as
?a=b%26c=d or double-encoded as ?a=b&c=d. I would prefer
the former.


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

Re: [Catalyst] Does uri_for() URL-escape arguments correctly ?

[Bill Moseley]

On Tue, Dec 4, 2012 at 5:22 AM, Marc SCHAEFER  wrote:

> Hi,
>
> for some time I write things like this in my templates:
>
> 
>

I've always used href="[% c.uri_for( ... ) | html  %]"


-- 
Bill Moseley
mose...@hank.org
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

[Catalyst] Does uri_for() URL-escape arguments correctly ?

[Marc SCHAEFER]

Hi,

for some time I write things like this in my templates:



where file is something which can contain a lot of dangerous characters.

I assumed (and after experiencing a bit it seemed to be the case) that
it would escape spaces, quotes, slashes, etc using the %XX URL-escapes.
It seems to do it, even for / e.g.

However, it does not escape the % character itself. Yes, I do have filenames
with % in them :)

The url filter in the Template Toolkit does, so the following work-around
works (because already %-encoded sequences are untouched by uri_for())

   [% file = path _ video | url %]

Am I mistaken so to think that c.uri_for(x, y) does the auto-filtering
for y automatically as required ?

I might also have a question regarding the priority of operations in
path _ video | url. In my case it works, because path doesn't contain %,
but slashes.


___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/