Randal L. Schwartz wrote:
"Josh" == Josh Rosenbaum <[EMAIL PROTECTED]> writes:
Josh> I don't think that's a good idea. I would guess that this is used
somewhere like so:
Josh> [% USE url('/foo/bar'); %]
Josh> <a href="[% url(this = 'that' fred = 'flintstone') %]">link text</a>
Josh> <a href="[% url(foo = 'blah') %]">another link text</a>
But this *should* have been written as
[% url(foo = 'blah') | html %]
because you're inserting unsafe text into HTML.
Looking at the code, I think the url plugin url-encodes params. (Including
non-safe html.) Here's the line that does the encoding:
$toencode=~s/([^a-zA-Z0-9_.-])/uc sprintf("%%%02x",ord($1))/eg;
Yes, it's probably not cool to break things, but this is arguably broken
code already.
I wouldn't consider it broken, but just not malleable to other purposes. Also, I think if this sort of change needs to be done it is best suited for a major release such as TT3. I don't actually even use the URL plugin, I just know what it's like to change code on people and have their stuff broken.
For now the best way to resolve the problem IMHO is to add functionality to
allow people to do what they need to do, and leave default behavior alone.
-- Josh
_______________________________________________
templates mailing list
[email protected]
http://lists.template-toolkit.org/mailman/listinfo/templates
