On Sat, Sep 26, 2020 at 1:36 PM Sam Ruby <ru...@intertwingly.net> wrote:
>
> On Sat, Sep 26, 2020 at 12:22 PM sebb <seb...@gmail.com> wrote:
> >
> > On Sat, 26 Sep 2020 at 16:37, Sam Ruby <ru...@intertwingly.net> wrote:
> > >
> > > On Sat, Sep 26, 2020 at 10:55 AM sebb <seb...@gmail.com> wrote:
> > > >
> > > > The URI.escape method is deprecated, and should be replaced.
> > > >
> > > > However, I'm not sure it's actually needed for Wunderbar code.
> > > >
> > > > For example, posted-reports.json.rb has
> > > >
> > > > _link THREAD + URI.escape('<' + mail.message_id + '>')
> > > >
> > > > However surely Wunderbar _json handles any necessary escaping?
> > > >
> > > > And posted-reports.cgi has:
> > > > href = THREAD + URI.escape('<' + mail.message_id + '>')
> > > > ...
> > > > _a mail.subject, href: href
> > > >
> > > > Again, I would expect Wunderbar to do the necessary.
> > >
> > > Wunderbar would need a way to know if the href was already escaped.
> >
> > I've just checked, and it does do some escaping:
> >
> > $ ruby -rwunderbar -e'_html {x="<a@b.c>"; y="&"; _h3 x ; _a y, href: x }'
> >
> > gives the following body:
> >
> > <h3><a@b.c></h3>
> > <a href="<a@b.c>">&</a>
> >
> > This suggests that Wunderbar expects unescaped input?
>
> Currently, wunderbar does indeed do HTML escaping (consistently, for
> all text and attribute content), but it doesn't do URL escaping.
>
> What would you expect the following to return?
>
> % ruby -r wunderbar -e '_html {x="http://example.com?q=foo%20bar";; _a
> x, href: x}'
It is also worth understanding why URI.escape was deprecated. The
rules for escaping a URI depend on the part of the URI involved. The
correct way to form a URI is to escape each part separately and then
combine the parts.
- Sam Ruby
