From: Armin Ronacher Date: Mon, 25 May 2015 11:40:47 +0000 (+0200) Subject: Escape slashes in query strings. This fixes #445 X-Git-Tag: 2.8~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46acbf02ed9ab58c7a92553c95790e75bdc3c930;p=thirdparty%2Fjinja.git Escape slashes in query strings. This fixes #445 --- diff --git a/CHANGES b/CHANGES index cfe4c43c..ba820cc0 100644 --- a/CHANGES +++ b/CHANGES @@ -31,6 +31,8 @@ Version 2.8 (`code_generator_class` and `context_class`) (pull request ``#404``). - added support for context/environment/evalctx decorator functions on the finalize callback of the environment. +- escape query strings for urlencode properly. Previously slashes were not + escaped in that place. Version 2.7.3 ------------- diff --git a/jinja2/filters.py b/jinja2/filters.py index 0fb5a5aa..4b444852 100644 --- a/jinja2/filters.py +++ b/jinja2/filters.py @@ -94,7 +94,8 @@ def do_urlencode(value): if itemiter is None: return unicode_urlencode(value) return u'&'.join(unicode_urlencode(k) + '=' + - unicode_urlencode(v) for k, v in itemiter) + unicode_urlencode(v, for_qs=True) + for k, v in itemiter) @evalcontextfilter diff --git a/jinja2/utils.py b/jinja2/utils.py index e12255f2..cdd4cd3a 100644 --- a/jinja2/utils.py +++ b/jinja2/utils.py @@ -283,7 +283,7 @@ def generate_lorem_ipsum(n=5, html=True, min=20, max=100): return Markup(u'\n'.join(u'

%s

' % escape(x) for x in result)) -def unicode_urlencode(obj, charset='utf-8'): +def unicode_urlencode(obj, charset='utf-8', for_qs=False): """URL escapes a single bytestring or unicode string with the given charset if applicable to URL safe quoting under all rules that need to be considered under all supported Python versions. @@ -295,7 +295,11 @@ def unicode_urlencode(obj, charset='utf-8'): obj = text_type(obj) if isinstance(obj, text_type): obj = obj.encode(charset) - return text_type(url_quote(obj)) + safe = for_qs and b'' or b'/' + rv = text_type(url_quote(obj, safe)) + if for_qs: + rv = rv.replace('%20', '+') + return rv class LRUCache(object):