[Catalyst] Escaping of "argument" of private path

John M. Dlugosz wxju46gefd at snkmail.com
Wed Mar 16 01:36:29 GMT 2011

On 3/15/2011 4:56 AM, Octavian Rasnita orasnita-at-gmail.com |Catalyst/Allow to home| wrote:
> uri_for() escapes only the chars which are not in the following list (from URI.pm):
> $reserved   = q(;/?:@&=+$,[]);
> $mark       = q(-_.!~*'());                                    #'; emacs
> $unreserved = "A-Za-z0-9\Q$mark\E";
> The char "&" is a valid char in the URI, so it should not be escaped.. With other words, 
> the following url is OK:
> http://localhost/dir1/dir2/ham%20&%20eggs.jpg
> uri_for() generates the URI as it needs to be accessed on the server and not as it 
> should be printed in an HTML page. In order to be printed correctly, the "&" char must 
> be HTML-encoded, so the html TT filter must be used:
> <a href="[% c.uri_for('/path', 'eggs & ham.jpg', {a=1, b=2}).path_query | html%]">label</a>
> It will give:
> <a href="/path/eggs%20&amp;%20ham.jpg?a=1&amp;b=2">label</a>

In contrast, the 'uri' filter in TT "converting any characters outside of the permitted 
URI character set (as defined by RFC 2396)" and that includes |&|, |@|, |/|, |;|, |:|, 
|=|, |+|, |?| and |$|.
The 'url' filter in TT is less aggressive, and does not include those.

The '&' is a "Reserved Character" according to §2.2 of RFC 2396.  That is what the code 
sample you quoted notes: the set of reserved characters.  They may have specific meanings 
as delimiters within the overall URI, so should be escaped.  Just skimming, I see that 
it's reserved within the query component.

Anyway, using the TT 'uri' filter on the dynamic path component means I don't have to use 
the html filter also!

More information about the Catalyst mailing list