according to the documentation, only the url_for from ActionView escape the URL. which happens on this line escape ? html_escape(url) : url and can be prevented by passing :escape => false to url_for. still according to the documentation, the url_for from ActionController is not supposed to escape the url. BUT IT DOES. at the moment of this line escape ? html_escape(url) : url url has already been escaped by the url_for from action_controller thus the option :escape is irrelevant. I believe someone change something without knowing this. the url_for from the controller is not suppose to escape the url while it does. and the :escape => false just prevent the url from being escaped AGAIN. I went a bit into the code, as far as Routing::Routes.generate so it get escaped somewhere in there. That''s as far as I check regards, --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
according to the documentation, only the url_for from ActionView escape the URL. which happens on this line escape ? html_escape(url) : url and can be prevented by passing :escape => false to url_for. still according to the documentation, the url_for from ActionController is not supposed to escape the url. BUT IT DOES. at the moment of this line escape ? html_escape(url) : url url has already been escaped by the url_for from action_controller thus the option :escape is irrelevant. I believe someone change something without knowing this. the url_for from the controller is not suppose to escape the url while it does. and the :escape => false just prevent the url from being escaped AGAIN. I went a bit into the code, as far as Routing::Routes.generate so it get escaped somewhere in there. That''s as far as I check regards, --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
somekool wrote:> according to the documentation, only the url_for from ActionView escape > the > URL.<snip>> still according to the documentation, the url_for from ActionController > is not supposed to escape the url. > BUT IT DOES.Where have you seen the double-escaping behaviour? I''ve found some problems with some of the form-related helpers where URLs are double-escaped, but the problem is in the helpers, not in ActionController''s url_for. Can you give us some example code that shows this escaping happening? Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
Lets clarify what I said. The url is escaped twice, but the output is
the same.
it changes a quote for example into %xx but the second time, it remains
%xx unchanged, cuz its ok
lets look at the function
def url_for(options = {}, *parameters_for_method_reference)
if options.kind_of? Hash
options = { :only_path => true
}.update(options.symbolize_keys)
escape = options.key?(:escape) ? options.delete(:escape) :
true
else
escape = true
end
url = @controller.send(:url_for, options,
*parameters_for_method_reference)
escape ? html_escape(url) : url
end
most of this function is related to check if :escape => false is
passed, in which case html_escape won''t be call.
but before this last line, url already been escaped.
so its not possible to prevent url_for from escaping the URL anymore.
and at this point. providing this option does nothing
but the value returned by html_escape will be the same as the value url
already has. so it does not get really escaped twice. but the string is
going into the machine twice, if you see what I mean.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---
somekool wrote:> it changes a quote for example into %xx but the second time, it remains > %xx unchanged, cuz its okI think this is where the confusion is arising. There are two different kinds of escaping going on. It sounds like you''re talking about the URL encoding that uses ''%xx'' to represent special characters. However, the html_escape function does something completely different. It takes a string and turns ''&'' into ''&'' and ''<'' into ''<'', etc., so that it can go into HTML without being interpreted as literal ''&''s and ''<''s. Escaping special characters in URLs using the ''%xx'' scheme is mandatory, otherwise they are not valid URLs. But HTML-escaping using ''&'' can be turned off using the :escape => false option. Of course, you always want to HTML-escape the URL at some point before outputting it in HTML. And most of the time it''s okay to let url_for do this for you. But sometimes you need to take the result of url_for and pass it through another function that does its own HTML-escaping. That''s when you can make use of the :escape => false option to url_for. Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
thank you for the enlightenment, it does clarify bunch of things
the reason I need the URL encoding not to be done, is because I pass
the url_for results to javascript code, and some part of the url is
javascript that gets evaluated to then become a valid URI.
so I decided to do something like this url_for(:action =>
''foo'', :id =>
''__js__'').gsub(''__js__'', js)
which works like I want, but I thought I could just pass an option to
url_for instead of the gsub
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---