You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@whimsical.apache.org by sebb <se...@gmail.com> on 2020/09/26 14:55:29 UTC

URI.escape - is it needed for wunderbar code?

The URI.escape method is deprecated, and should be replaced.

However, I'm not sure it's actually needed for Wunderbar code.

For example, posted-reports.json.rb has

_link THREAD + URI.escape('<' + mail.message_id + '>')

However surely Wunderbar _json handles any necessary escaping?

And posted-reports.cgi has:
href = THREAD + URI.escape('<' + mail.message_id + '>')
...
_a mail.subject, href: href

Again, I would expect Wunderbar to do the necessary.

S.

Re: URI.escape - is it needed for wunderbar code?

Posted by Sam Ruby <ru...@intertwingly.net>.

On Sat, Sep 26, 2020 at 1:36 PM Sam Ruby <ru...@intertwingly.net> wrote:
>
> On Sat, Sep 26, 2020 at 12:22 PM sebb <se...@gmail.com> wrote:
> >
> > On Sat, 26 Sep 2020 at 16:37, Sam Ruby <ru...@intertwingly.net> wrote:
> > >
> > > On Sat, Sep 26, 2020 at 10:55 AM sebb <se...@gmail.com> wrote:
> > > >
> > > > The URI.escape method is deprecated, and should be replaced.
> > > >
> > > > However, I'm not sure it's actually needed for Wunderbar code.
> > > >
> > > > For example, posted-reports.json.rb has
> > > >
> > > > _link THREAD + URI.escape('<' + mail.message_id + '>')
> > > >
> > > > However surely Wunderbar _json handles any necessary escaping?
> > > >
> > > > And posted-reports.cgi has:
> > > > href = THREAD + URI.escape('<' + mail.message_id + '>')
> > > > ...
> > > > _a mail.subject, href: href
> > > >
> > > > Again, I would expect Wunderbar to do the necessary.
> > >
> > > Wunderbar would need a way to know if the href was already escaped.
> >
> > I've just checked, and it does do some escaping:
> >
> > $ ruby  -rwunderbar -e'_html {x="<a...@b.c>"; y="&"; _h3 x ; _a  y, href: x  }'
> >
> > gives the following body:
> >
> >     <h3>&lt;a@b.c&gt;</h3>
> >     <a href="&lt;a@b.c&gt;">&amp;</a>
> >
> > This suggests that Wunderbar expects unescaped input?
>
> Currently, wunderbar does indeed do HTML escaping (consistently, for
> all text and attribute content), but it doesn't do URL escaping.
>
> What would you expect the following to return?
>
> % ruby -r wunderbar -e '_html {x="http://example.com?q=foo%20bar"; _a
> x, href: x}'

It is also worth understanding why URI.escape was deprecated.  The
rules for escaping a URI depend on the part of the URI involved.  The
correct way to form a URI is to escape each part separately and then
combine the parts.

- Sam Ruby

Re: URI.escape - is it needed for wunderbar code?

Posted by Sam Ruby <ru...@intertwingly.net>.

On Sat, Sep 26, 2020 at 12:22 PM sebb <se...@gmail.com> wrote:
>
> On Sat, 26 Sep 2020 at 16:37, Sam Ruby <ru...@intertwingly.net> wrote:
> >
> > On Sat, Sep 26, 2020 at 10:55 AM sebb <se...@gmail.com> wrote:
> > >
> > > The URI.escape method is deprecated, and should be replaced.
> > >
> > > However, I'm not sure it's actually needed for Wunderbar code.
> > >
> > > For example, posted-reports.json.rb has
> > >
> > > _link THREAD + URI.escape('<' + mail.message_id + '>')
> > >
> > > However surely Wunderbar _json handles any necessary escaping?
> > >
> > > And posted-reports.cgi has:
> > > href = THREAD + URI.escape('<' + mail.message_id + '>')
> > > ...
> > > _a mail.subject, href: href
> > >
> > > Again, I would expect Wunderbar to do the necessary.
> >
> > Wunderbar would need a way to know if the href was already escaped.
>
> I've just checked, and it does do some escaping:
>
> $ ruby  -rwunderbar -e'_html {x="<a...@b.c>"; y="&"; _h3 x ; _a  y, href: x  }'
>
> gives the following body:
>
>     <h3>&lt;a@b.c&gt;</h3>
>     <a href="&lt;a@b.c&gt;">&amp;</a>
>
> This suggests that Wunderbar expects unescaped input?

Currently, wunderbar does indeed do HTML escaping (consistently, for
all text and attribute content), but it doesn't do URL escaping.

What would you expect the following to return?

% ruby -r wunderbar -e '_html {x="http://example.com?q=foo%20bar"; _a
x, href: x}'

- Sam Ruby

Re: URI.escape - is it needed for wunderbar code?

Posted by sebb <se...@gmail.com>.

On Sat, 26 Sep 2020 at 16:37, Sam Ruby <ru...@intertwingly.net> wrote:
>
> On Sat, Sep 26, 2020 at 10:55 AM sebb <se...@gmail.com> wrote:
> >
> > The URI.escape method is deprecated, and should be replaced.
> >
> > However, I'm not sure it's actually needed for Wunderbar code.
> >
> > For example, posted-reports.json.rb has
> >
> > _link THREAD + URI.escape('<' + mail.message_id + '>')
> >
> > However surely Wunderbar _json handles any necessary escaping?
> >
> > And posted-reports.cgi has:
> > href = THREAD + URI.escape('<' + mail.message_id + '>')
> > ...
> > _a mail.subject, href: href
> >
> > Again, I would expect Wunderbar to do the necessary.
>
> Wunderbar would need a way to know if the href was already escaped.

I've just checked, and it does do some escaping:

$ ruby  -rwunderbar -e'_html {x="<a...@b.c>"; y="&"; _h3 x ; _a  y, href: x  }'

gives the following body:

    <h3>&lt;a@b.c&gt;</h3>
    <a href="&lt;a@b.c&gt;">&amp;</a>

This suggests that Wunderbar expects unescaped input?

> - Sam Ruby

Re: URI.escape - is it needed for wunderbar code?

Posted by Sam Ruby <ru...@intertwingly.net>.

On Sat, Sep 26, 2020 at 10:55 AM sebb <se...@gmail.com> wrote:
>
> The URI.escape method is deprecated, and should be replaced.
>
> However, I'm not sure it's actually needed for Wunderbar code.
>
> For example, posted-reports.json.rb has
>
> _link THREAD + URI.escape('<' + mail.message_id + '>')
>
> However surely Wunderbar _json handles any necessary escaping?
>
> And posted-reports.cgi has:
> href = THREAD + URI.escape('<' + mail.message_id + '>')
> ...
> _a mail.subject, href: href
>
> Again, I would expect Wunderbar to do the necessary.

Wunderbar would need a way to know if the href was already escaped.

- Sam Ruby