Um... not quite. That is, yes, judicious use of escapeHTML can help to avoid having users enter html code where you just expected them to enter text, and fubar'ing the resulting page. However, what you've said seems to imply that you'd never use escapeHTML on text that you generate yourself.
You really want to apply escapeHTML() to anything that you're sending out as part of an HTML page that you want used "as is". That is, assuming that the original poster is going to put the output of this function and put it into an html page, (instead of, for example, sending it out as the value of a Location: redirect header) he should make sure that he outputs the equivalent of:
use CGI;
use URI::Escape;
# here put code that prints out the page header, etc.
my $secondurl = 'http://www.myothersite.com/myotherwebapp2/foo.asp?p
+aram=1¶m=3';
my $initialurl = 'http://www.mysite.com/mywebapp1/dosomething?' . 'u
+rl=' . uri_escape($secondurl);
print '<a href="',
CGI::escapeHTML($initialurl),
'">launch mywebapp</a>';
# code that does that does the page footer
In fact, I have a few times used something like this when formatting HTML output:
sub queryToHTML
{
my ($uri, %param) = @_;
my ($sepchar) = '?';
if (!%param) { $sepchar = ''; }
elsif ($uri =~ /\?/) { $sepchar = '&'; }
return CGI::escapeHTML(
$uri . $sepchar .
join '&',
map {uri_escape($_) . '=' . uri_escape($param{$_})}
keys(%param)
);
}
If you can guarantee that your queries are going to and from web frameworks that understand ';' as a separator (like, for example, any vaguely modern CGI.pm), you can replace the references to '&' with ';' - the advantage of doing that is that the output html looks less ugly. |