[ic] instant reparse?
Kevin Walsh
interchange-users@icdevgroup.org
Wed Feb 19 15:34:00 2003
Marc Brevoort [marc.brevoort@armazemdedados.com] wrote:
>
> I'm normally not in the habit of using named parameters
>
You should use them. Take the following example from one of your
articles, where $url and $params are initialised from CGI:
[posttourl $url $params]
If $url is blank then the $params value will be the first in the
positional list. If $url somehow managed to contain a space then
it would take up the first and second positional parameter. This
sort of thing could turn out to be difficult to debug.
Now, you may wonder how the $url could be invalid/blank, but
remember that anyone can pass CGI values by calling a page like
this:
somepage.html?somevar=some%20value&anothervar=anothervalue
Note that the 'somevar' CGI value contains a space.
Also note that if someone knew how to manipulate your forms, they
could use this technique to send nonsense/disruptive requests to
arbitrary $url locations.
>
> A last detail to solve is that my posttourl tag returns an entire page
> which could, in theory, contain quotes, newlines, ] brackets, and so on,
> as you predicted.
>
Using the example from my previous article would solve that:
[tmp result][posttourl url="[cgi myurl]" params="[cgi myparams]"][/tmp]
The entire result from [postrtourl] would be captured in the 'result'
temporary scratch variable, with no worries relating to quote usage.
>
> If I could I'd avoid ITL altogether; I'm much more comfortable in Perl.
> I'd prefer to use $Tag->parsexml($xml) instead of [parsexml ...] but
> this makes safe mode complain because parsexml uses XML::Parser, so I'm
> stuck doing it the ITL way.
>
> When trying so, the html page shows [parsexml asdf] (where asdf is
> replaced by the newline-containing page loaded by posttourl) and the tag
> isn't run, I assume ITL is choking on the newlines etc. in the
> parameter.
>
> Is there a standard way to pass parameters like this to user tags, or is
> the best option to escape any control characters? I'd prefer to keep the
> code in the xml parser tag as much as possible equal to the plain-perl
> code that I know is working.
>
How about defining your UserTag as a container, so you'd do this:
[parsexml]
your
xml
here
[/parsexml]
Simply add the following line to your UserTag definition:
UserTag parsexml hasEndTag 1
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/