[Catalyst] Escaping of "argument" of private path

Octavian Rasnita orasnita at gmail.com
Tue Mar 15 06:38:04 GMT 2011

From: "John M. Dlugosz" <wxju46gefd at snkmail.com>
> Consider this TT fragment:
>             [% fname = rec.filename | uri %]
> <img src="[% c.uri_for("${directory}/${fname}") %]" alt="photo" />
> There is no reason to suppose that the filename following URL naming 
> conventions, and may be something like "ham & eggs.jpeg".  This in fact 
> works as written, but I'm wondering if it's quite correct.
> In fact, I'm surprised that uri_for doesn't do this for me!  I pass in a 
> file name and get a URL back, right?  Munging the file name first doesn't 
> make sense since that's no longer the file name and won't work in a call 
> to Open, for example.
> But escaping each component, and not the component delimiters, after 
> getting the perported uri back would be much more work.  This should be 
> simpler.  What am I missing?

uri_for() escapes each component, but I guess that it doesn't escape it if 
it contains a slash in it.

For example, you can do:

<img src="[% c.uri_for('/static', 'ham and eggs.jpg').path %]">

It will print:

<img src="/static/ham%20and%20eggs.jpg">


More information about the Catalyst mailing list