Flask-JSGlue
Flask-JSGlue copied to clipboard
stewartpark
Values are not URL encoded
Flask's url_for function encodes input to be URL safe. For example, url_for('root', someparam='5 & 6 & more') gives back /?someparam=5+%26+6+%26+more.
JSGlue doesn't escape the input at all. Flask.url_for("root", {"someparam": "5 & 6 & more"}) gives back /?someparam=5 & 6 & more.
Here's a fully working demo script:
import flask
from flask_jsglue import JSGlue
app = flask.Flask(__name__)
jsglue = JSGlue(app)
app.debug = True
home_template = u'''
<head>
{{ JSGlue.include() }}
</head>
<body>
Flask url: <code>{{ url_for('root', someparam='5 & 6 & more') }}</code>
<br/>
JSGlue url: <code id="jsglueurl"></code>
<script>
var jsglueUrl = Flask.url_for("root", {"someparam": "5 & 6 & more"});
document.getElementById("jsglueurl").innerHTML = jsglueUrl;
</script>
</body>
'''
@app.route("/")
def root():
return flask.render_template_string(home_template)
if __name__ == "__main__":
app.run()
You'll see the results on the page.
Fixing this may be a breaking change, so it might make sense to make this some kind of setting or argument.
If safe is expected and you get "unsafe", to me, that's a bug. And probably, not a hard one to fix. Can't think of evil side-effects. @stewartpark what do you think?
I agree, @italomaia. I think this could be a potential problem and we should replicate whatever Flask's url_for does as much as possible :)
