Template::Filters - uri_filter/url_filter regex needs updating #13
Comments
|
Now updated. Thanks for bringing it to my attention. |
|
The regexp reported by mar-kolya for RFC 3986 is incorrect. Double quotes are not part of the regexp and must still be escaped, see: http://tools.ietf.org/html/rfc3986#section-2.3 my %Unsafe = ( Please fix that (and this would be a huge regression anyway as <a href="http://www.foo.com/id=[% foo FILTER uri %]&name=[% bar FILTER uri %]" would be broken if one of the variables contains a double quote in its value as it would prematurely close the URL). Looks like I cannot reopen this bug... :( |
|
Also note that the regexps from my previous comment are mangled by github as it removed backslashes and underscores. So make sure to not copy and paste from here. |
|
LpSolit, you are absolutely correct, you may want to open a new issue for that. In my original comment I've just copy-pased a bug from rt.cpan.org without complete verification. And the bug on rt.cpan.org was created before URI::Escape had that quote remove. My apologies for not verifying that bug report against RFC. |
ghost
mentioned this issue
|
I filed issue #35 about the regression. |
URI::Escape now uses the RFC3986 regex as below (lines from URI::Escape)
my %Unsafe = (
RFC2732 => qr/[^A-Za-z0-9-_.!~*'()]/,
RFC3986 => qr/[^A-Za-z0-9-._~"]/
);
lines 282 and 307 in Template::Filters should be updated accordingly to match the new RFC spec. (or allow config setting of RFC version)
Or maybe it's worth just using URI::Escape instead.
This is basically copy of issue reported on cpan: https://rt.cpan.org/Public/Bug/Display.html?id=57590
Thanks!
The text was updated successfully, but these errors were encountered: