[Templates] html escaping

16 Aug 2000 04:58:04 -0700

>>>>> "Jonas" == Jonas Liljegren <jonas@paranormal.se> writes:

Jonas> Variables in URLs should be URI-escaped rather than HTML-escaped. So this
Jonas> is the exception.  I would suggest that any explicit filtering overrides
Jonas> the specified default filtering.

Jonas> Examples:
Jonas>    my $template = Template->new({FILTER_GET => 'html'});

Actually, they need *both*.

If you want to link to

        /cgi/foo?fred=flint%20stone&barney=rubble

then you must transmit

        <a href="/cgi/foo?fred=flint%20stone&amp;barney=rubble">

so something like

        <a href="[% uri_generated_value | html %]">

is needed in your template.

(Please don't repeat the thread from mod_perl here about "but
my browser doesn't require that".  Yeah, on your test cases, it
was making up for your errors, but the day you have a parameter
named lt or gt or copy, you'll be very sorry. :)

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!