[Catalyst] Does uri_for() URL-escape arguments correctly ?
schaefer at alphanet.ch
Tue Dec 4 13:22:23 GMT 2012
for some time I write things like this in my templates:
<a href="[% c.uri_for(c.controller.action_for('object'), [ file ]) %]"><img src="[% c.uri_for(c.controller.action_for('thumbnail'), [ file ]) %]" alt="[% video | html %]" /></a>
where file is something which can contain a lot of dangerous characters.
I assumed (and after experiencing a bit it seemed to be the case) that
it would escape spaces, quotes, slashes, etc using the %XX URL-escapes.
It seems to do it, even for / e.g.
However, it does not escape the % character itself. Yes, I do have filenames
with % in them :)
The url filter in the Template Toolkit does, so the following work-around
works (because already %-encoded sequences are untouched by uri_for())
[% file = path _ video | url %]
Am I mistaken so to think that c.uri_for(x, y) does the auto-filtering
for y automatically as required ?
I might also have a question regarding the priority of operations in
path _ video | url. In my case it works, because path doesn't contain %,
More information about the Catalyst