-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[regression] Double quotes must be escaped per RFC 3986 #35
Comments
abw
added a commit
that referenced
this issue
Mar 8, 2015
abw
added a commit
that referenced
this issue
Mar 8, 2015
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this issue
Apr 19, 2017
#----------------------------------------------------------------------- # Version 2.27 - 13th December 2016 #------------------------------------------------------------------------ * Ghost fixed the regex in the uri/url filters, removing double quotes to make it RFC3986 compliant. abw/Template2#35 * Sean Zellmer added testrules.yml to always run compile*.t sequentially abw/Template2#45 * Simon Dawson added 'empty' vmethods for scalar, list and hash abw/Template2#46 * Dennis Clark added --envvars option to tpage abw/Template2#49 * Yanick Champoux made Template::Toolkit a module abw/Template2#51 * Various warnings silenced and typos fixed.
docs are still wrong https://rt.cpan.org/Ticket/Display.html?id=123104 |
Code and docs both wrong; PR at #72, hope that's helpful! |
This fix has already been merged. |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Nov 24, 2018
Upstream changes: Version 2.28 - 11th October 2018 #------------------------------------------------------------------------ * Add and enable Travis CI to track GitHub Pull Requests * Template is now using GitHub as the official Bug Tracker * Nicolas R. fixed a circular reference in Template::Plugin::Filter abw/Template2#152 * Nicolas R. adjusted group regexes to not be greedy abw/Template2#94 * Nicolas R. added unit tests to cover regression from RT 91172 abw/Template2#122 * Nicolas R. added support for template files having mtime=0 abw/Template2#102 * Todd Rinaldo fixed rand calls with no args in Math plugin abw/Template2#155 * Todd Rinaldo corrected ttree 2.22 logic change abw/Template2#148 * Todd Rinaldo turned off automated testing for tests using optional modules abw/Template2#156 * Nicolas R. adjusted unit tests to not force Stash::XS * Nicolas R. added a pre allocated buffer in Stash.xs to avoid malloc/free abw/Template2#82 * Nicolas R. optmized Template::Parser by avoiding a dummy sub abw/Template2#83 * Nicolas R. optimized Template:Directive by using index abw/Template2#84 * Nicolas R. adjust _dotop logic in Stash for perl 5.28 and earlier abw/Template2#81 * Todd Rinaldo documented VMethod method called 'item' abw/Template2#90 * Nicolas R. adjusted t/filter.t after recent switch to RFC3986 abw/Template2#179 * Nicolas R. fixed warnings from t/cgi.t abw/Template2#178 * Ivan Krylov added STRICT option to ttree abw/Template2#81 * Kent Fredric fixed relative path handling in templates on Perl 5.26+ abw/Template2#80 * Tom Delmas fixed some typo from documentation abw/Template2#76 * Matthew Somerville switched uri/url to use RFC3986 updated the documentation to match the history. abw/Template2#35 * Sebastien Deseille used remove_tree helper to remove directories abw/Template2#67 * Nick Hibma - Add Sortkeys to DUMPER_ARGS abw/Template2#64 * E. Choroba added a warn on duplicate block name abw/Template2#61 * Jason Lewis fixed some typo in ttree.pod abw/Template2#58
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #13, the regexp used for RFC 3986 is incorrect and must not include double quotes. Double quotes must still be escaped, see:
http://tools.ietf.org/html/rfc3986#section-2.3
http://search.cpan.org/~gaas/URI/URI/Escape.pm
This is a severe regression as <a href="http://www.foo.com/id=[% foo FILTER uri %]&name=[% bar FILTER uri %]" would be broken if one of the variables contains a double quote in its value as it would prematurely close the URL.
The text was updated successfully, but these errors were encountered: