Skip Menu |

This queue is for tickets about the Template-Toolkit CPAN distribution.

Report information
The Basics
Id: 123104
Status: resolved
Priority: 0/
Queue: Template-Toolkit
People
Owner: Nobody in particular
Requestors: victor [...] vsespb.ru
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 2.26
Fixed in: (no value)

History Show all quoted text
  Fri Sep 22 06:59:21 2017 victor [...] vsespb.ru - Ticket created
Subject: uri filter behaviour contradicts docs and seems wrong
use strict; use warnings; use Template; print Template->VERSION, "\n"; Template->new->process( \'[% x |html %]', { x => q{'"} } ); __END__ prints 2.26 '" that means: 1) single quote not escaped 2) double quote is escaped here are the docs: https://metacpan.org/pod/Template::Manual::Filters#uri ==== As of version 2.26 of the Template Toolkit, the uri and url filters use the unsafe character set defined by RFC3986. This means that certain characters ("(", ")", "~", "*", "!" and the single quote "'") are now deemed unsafe and will be escaped as hex character sequences. The double quote character ('"') is now deemed safe and will not be escaped. ==== docs says that: 1) single quote will be escaped 2) double quote will not be escaped and according to https://www.ietf.org/rfc/rfc3986.txt seems docs are correct and code is wrong.
  Fri Sep 22 07:03:25 2017 victor [...] vsespb.ru - Correspondence added
Ticket text was correct but example wrong. Here is the correct PoC: use strict; use warnings; use Template; print Template->VERSION, "\n"; Template->new->process( \'[% x |uri %]', { x => q{'"} } ); __END__ 2.26 '%22 On Fri Sep 22 13:59:21 2017, vsespb wrote: Show quoted text
> use strict; > use warnings; > use Template; > print Template->VERSION, "\n"; > Template->new->process( \'[% x |html %]', { x => q{'"} } ); > __END__ > prints > > 2.26 > '" > > that means: > 1) single quote not escaped > 2) double quote is escaped > > here are the docs: > https://metacpan.org/pod/Template::Manual::Filters#uri > ==== > As of version 2.26 of the Template Toolkit, the uri and url filters > use the unsafe character set defined by RFC3986. This means that > certain characters ("(", ")", "~", "*", "!" and the single quote "'") > are now deemed unsafe and will be escaped as hex character sequences. > The double quote character ('"') is now deemed safe and will not be > escaped. > ==== > > docs says that: > 1) single quote will be escaped > 2) double quote will not be escaped > > and according to https://www.ietf.org/rfc/rfc3986.txt seems docs are > correct and code is wrong.
  Fri Oct 05 12:49:21 2018 me [...] eboxr.com - Correspondence added
Ticket migrated to github as https://github.com/abw/Template2/issues/141
  Fri Oct 05 12:49:21 2018 The RT System itself - Status changed from 'new' to 'open'
  Fri Oct 05 12:49:22 2018 me [...] eboxr.com - Status changed from 'open' to 'resolved'