On Fri, Dec 23, 2005 at 10:29:00AM -0800, Randal L. Schwartz wrote:
> >>>>> "Josh" == Josh Rosenbaum <[EMAIL PROTECTED]> writes:
>
> Josh> I don't think that's a good idea. I would guess that this is used
> somewhere like so:
>
> Josh> [% USE url('/foo/bar'); %]
> Josh> <a href="[% url(this = 'that' fred = 'flintstone') %]">link text</a>
> Josh> <a href="[% url(foo = 'blah') %]">another link text</a>
>
> But this *should* have been written as
>
> [% url(foo = 'blah') | html %]
>
> because you're inserting unsafe text into HTML.
No, because the url plugin escapes for you.
If was written and documented the another way then you would be correct.
$ perl -MTemplate::Plugin::URL -lwe 'print
Template::Plugin::URL->new("","/foo/bar")->( {foo => "text", bar =>
"&something<>", })'
/foo/bar?bar=%26something%3C%3E&foo=text
--
Bill Moseley
[EMAIL PROTECTED]
_______________________________________________
templates mailing list
[email protected]
http://lists.template-toolkit.org/mailman/listinfo/templates
