>>>>> "Josh" == Josh Rosenbaum <[EMAIL PROTECTED]> writes:
Josh> I don't think that's a good idea. I would guess that this is used
somewhere like so:
Josh> [% USE url('/foo/bar'); %]
Josh> <a href="[% url(this = 'that' fred = 'flintstone') %]">link text</a>
Josh> <a href="[% url(foo = 'blah') %]">another link text</a>
But this *should* have been written as
[% url(foo = 'blah') | html %]
because you're inserting unsafe text into HTML.
Yes, it's probably not cool to break things, but this is arguably broken
code already.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[email protected]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
_______________________________________________
templates mailing list
[email protected]
http://lists.template-toolkit.org/mailman/listinfo/templates
