[Catalyst] Please help to figure out with URL's

Aristotle Pagaltzis pagaltzis at gmx.de
Thu Dec 4 23:37:43 GMT 2014


* Larry Leszczynski <larryl at emailplus.org> [2014-12-04 21:35]:
> On Thu, Dec 4, 2014, at 12:41 PM, Trevor Leffler wrote:
> > This is a typical use:
> >
> > <link href="[% c.uri_for('/static/css/my_style.css') | html %]" rel="stylesheet">
>
> Assuming you're using Template Toolkit, you should use the "url"
> filter, not the "html" filter:
>
>    <link href="[% c.uri_for('/static/css/my_style.css') | url %]"
>    rel="stylesheet">

No.

First, if $c->uri_for gives you a URI which isn’t already correctly
URI-encoded, then it has a bug which should be reported. And if it does
give you correctly encoded URIs, as it should and probably does, then
re-encoding them will break any already-encoded parts.

Second, you are outputting URIs into HTML content, and URIs can contain
verbatim things that are metacharacters in HTML, such as ampersands.
Those need to be entity-escaped for HTML. If you aren’t doing that, then
you are producing broken HTML.

So what you are directing Trevor to do is broken – and not just once but
twice.

In practice, URIs that require escaping are uncommon and browsers go to
enormous lengths to understand broken HTML (and unescaped ampersands in
URIs are a very common problem), so you can go for a long time without
running these problems. But that code is still broken, and broken twice,
nonetheless.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>



More information about the Catalyst mailing list