[regression] Double quotes must be escaped per RFC 3986 #35
Comments
ghost
mentioned this issue
abw
added a commit
that referenced
this issue
Mar 8, 2015
abw
added a commit
that referenced
this issue
Mar 8, 2015
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this issue
Apr 19, 2017
#----------------------------------------------------------------------- # Version 2.27 - 13th December 2016 #------------------------------------------------------------------------ * Ghost fixed the regex in the uri/url filters, removing double quotes to make it RFC3986 compliant. abw/Template2#35 * Sean Zellmer added testrules.yml to always run compile*.t sequentially abw/Template2#45 * Simon Dawson added 'empty' vmethods for scalar, list and hash abw/Template2#46 * Dennis Clark added --envvars option to tpage abw/Template2#49 * Yanick Champoux made Template::Toolkit a module abw/Template2#51 * Various warnings silenced and typos fixed.
|
docs are still wrong https://rt.cpan.org/Ticket/Display.html?id=123104 |
|
Code and docs both wrong; PR at #72, hope that's helpful! |
|
This fix has already been merged. |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Nov 24, 2018
Upstream changes: Version 2.28 - 11th October 2018 #------------------------------------------------------------------------ * Add and enable Travis CI to track GitHub Pull Requests * Template is now using GitHub as the official Bug Tracker * Nicolas R. fixed a circular reference in Template::Plugin::Filter abw/Template2#152 * Nicolas R. adjusted group regexes to not be greedy abw/Template2#94 * Nicolas R. added unit tests to cover regression from RT 91172 abw/Template2#122 * Nicolas R. added support for template files having mtime=0 abw/Template2#102 * Todd Rinaldo fixed rand calls with no args in Math plugin abw/Template2#155 * Todd Rinaldo corrected ttree 2.22 logic change abw/Template2#148 * Todd Rinaldo turned off automated testing for tests using optional modules abw/Template2#156 * Nicolas R. adjusted unit tests to not force Stash::XS * Nicolas R. added a pre allocated buffer in Stash.xs to avoid malloc/free abw/Template2#82 * Nicolas R. optmized Template::Parser by avoiding a dummy sub abw/Template2#83 * Nicolas R. optimized Template:Directive by using index abw/Template2#84 * Nicolas R. adjust _dotop logic in Stash for perl 5.28 and earlier abw/Template2#81 * Todd Rinaldo documented VMethod method called 'item' abw/Template2#90 * Nicolas R. adjusted t/filter.t after recent switch to RFC3986 abw/Template2#179 * Nicolas R. fixed warnings from t/cgi.t abw/Template2#178 * Ivan Krylov added STRICT option to ttree abw/Template2#81 * Kent Fredric fixed relative path handling in templates on Perl 5.26+ abw/Template2#80 * Tom Delmas fixed some typo from documentation abw/Template2#76 * Matthew Somerville switched uri/url to use RFC3986 updated the documentation to match the history. abw/Template2#35 * Sebastien Deseille used remove_tree helper to remove directories abw/Template2#67 * Nick Hibma - Add Sortkeys to DUMPER_ARGS abw/Template2#64 * E. Choroba added a warn on duplicate block name abw/Template2#61 * Jason Lewis fixed some typo in ttree.pod abw/Template2#58
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #13, the regexp used for RFC 3986 is incorrect and must not include double quotes. Double quotes must still be escaped, see:
http://tools.ietf.org/html/rfc3986#section-2.3
http://search.cpan.org/~gaas/URI/URI/Escape.pm
This is a severe regression as <a href="http://www.foo.com/id=[% foo FILTER uri %]&name=[% bar FILTER uri %]" would be broken if one of the variables contains a double quote in its value as it would prematurely close the URL.
The text was updated successfully, but these errors were encountered: