Hi,
for some time I write things like this in my templates:
<a href="[% c.uri_for(c.controller.action_for('object'), [ file ]) %]"><img
src="[% c.uri_for(c.controller.action_for('thumbnail'), [ file ]) %]" alt="[%
video | html %]" /></a>
where file is something which can contain a lot of dangerous characters.
I assumed (and after experiencing a bit it seemed to be the case) that
it would escape spaces, quotes, slashes, etc using the %XX URL-escapes.
It seems to do it, even for / e.g.
However, it does not escape the % character itself. Yes, I do have filenames
with % in them :)
The url filter in the Template Toolkit does, so the following work-around
works (because already %-encoded sequences are untouched by uri_for())
[% file = path _ video | url %]
Am I mistaken so to think that c.uri_for(x, y) does the auto-filtering
for y automatically as required ?
I might also have a question regarding the priority of operations in
path _ video | url. In my case it works, because path doesn't contain %,
but slashes.
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
