Re: encoding URLs in URLs

Replies are listed 'Best First'.
Re: Re: encoding URLs in URLs by fizbin (Chaplain) on Apr 20, 2004 at 15:34 UTC
Um... not quite. That is, yes, judicious use of escapeHTML can help to avoid having users enter html code where you just expected them to enter text, and fubar'ing the resulting page. However, what you've said seems to imply that you'd never use escapeHTML on text that you generate yourself. You really want to apply escapeHTML() to anything that you're sending out as part of an HTML page that you want used "as is". That is, assuming that the original poster is going to put the output of this function and put it into an html page, (instead of, for example, sending it out as the value of a Location: redirect header) he should make sure that he outputs the equivalent of: `use CGI; use URI::Escape; # here put code that prints out the page header, etc. my $secondurl = 'http://www.myothersite.com/myotherwebapp2/foo.asp?p +aram=1&param=3'; my $initialurl = 'http://www.mysite.com/mywebapp1/dosomething?' . 'u +rl=' . uri_escape($secondurl); print '<a href="', CGI::escapeHTML($initialurl), '">launch mywebapp</a>'; # code that does that does the page footer` [download] In fact, I have a few times used something like this when formatting HTML output: `sub queryToHTML { my ($uri, %param) = @_; my ($sepchar) = '?'; if (!%param) { $sepchar = ''; } elsif ($uri =~ /\?/) { $sepchar = '&'; } return CGI::escapeHTML( $uri . $sepchar . join '&', map {uri_escape($_) . '=' . uri_escape($param{$_})} keys(%param) ); }` [download] If you can guarantee that your queries are going to and from web frameworks that understand `';'` as a separator (like, for example, any vaguely modern CGI.pm), you can replace the references to `'&'` with `';'` - the advantage of doing that is that the output html looks less ugly.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: encoding URLs in URLs
by fizbin (Chaplain) on Apr 20, 2004 at 15:34 UTC

Um... not quite. That is, yes, judicious use of escapeHTML can help to avoid having users enter html code where you just expected them to enter text, and fubar'ing the resulting page. However, what you've said seems to imply that you'd never use escapeHTML on text that you generate yourself.

You really want to apply escapeHTML() to anything that you're sending out as part of an HTML page that you want used "as is". That is, assuming that the original poster is going to put the output of this function and put it into an html page, (instead of, for example, sending it out as the value of a Location: redirect header) he should make sure that he outputs the equivalent of:

  use CGI;
  use URI::Escape;

  # here put code that prints out the page header, etc.

  my $secondurl = 'http://www.myothersite.com/myotherwebapp2/foo.asp?p
+aram=1&param=3';
  my $initialurl = 'http://www.mysite.com/mywebapp1/dosomething?' . 'u
+rl=' . uri_escape($secondurl);
  print '<a href="',
        CGI::escapeHTML($initialurl),
        '">launch mywebapp</a>';

  # code that does that does the page footer
[download]

In fact, I have a few times used something like this when formatting HTML output:

sub queryToHTML
{
  my ($uri, %param) = @_;
  my ($sepchar) = '?';
  if (!%param) { $sepchar = ''; }
  elsif ($uri =~ /\?/) { $sepchar = '&'; }
  return CGI::escapeHTML(
    $uri . $sepchar . 
      join '&', 
        map {uri_escape($_) . '=' . uri_escape($param{$_})}
            keys(%param)
  );
}
[download]

If you can guarantee that your queries are going to and from web frameworks that understand ';' as a separator (like, for example, any vaguely modern CGI.pm), you can replace the references to '&' with ';' - the advantage of doing that is that the output html looks less ugly.

[reply]
[d/l]
[select]