[Catalyst] Does uri_for() URL-escape arguments correctly ?

Marc SCHAEFER schaefer at alphanet.ch
Tue Dec 4 13:22:23 GMT 2012


for some time I write things like this in my templates:

<a href="[% c.uri_for(c.controller.action_for('object'), [ file ]) %]"><img src="[% c.uri_for(c.controller.action_for('thumbnail'), [ file ]) %]" alt="[% video | html %]" /></a>

where file is something which can contain a lot of dangerous characters.

I assumed (and after experiencing a bit it seemed to be the case) that
it would escape spaces, quotes, slashes, etc using the %XX URL-escapes.
It seems to do it, even for / e.g.

However, it does not escape the % character itself. Yes, I do have filenames
with % in them :)

The url filter in the Template Toolkit does, so the following work-around
works (because already %-encoded sequences are untouched by uri_for())

   [% file = path _ video | url %]

Am I mistaken so to think that c.uri_for(x, y) does the auto-filtering
for y automatically as required ?

I might also have a question regarding the priority of operations in
path _ video | url. In my case it works, because path doesn't contain %,
but slashes.

More information about the Catalyst mailing list