Reputation: 19477
flask url parameters with spaces generates urls with spaces
I'm trying to pass a user supplied string as a Flask URL parameter.
url_for(func_name, param="string with spaces") or similar generates a URL with spaces.
If the user enter a string with spaces the generated url has spaces it seems to work.
Also if I enter a URL with %20 it seems to redirect to a url with spaces.
I thought URLs with spaces were a bad idea.
How do I get it to work right (url_for and redirection)?
Or should I just accept it?
P.S. Is passing a user supplied string as a parameter safe? If not how should I sanitize the user input string?
Upvotes: 2
Views: 5342
Answers (1)
Reputation: 1121524
No, Flask generates URLs properly URL encoded; demoing with an existing application:
>>> with app.test_request_context('/'):
... print url_for('core.city', city='new york')
...
/new%20york
Your browser on the other hand may elect to show such URLs decoded for ease of reading.
url_for() quotes input to be URL-safe; encoded URLs cannot contain values that could be interpreted as HTML, so you are safe there as far as user-supplied values are concerned.
Upvotes: 2
Related Questions
- Python Flask -- URL Encoded Leading Slashes causing 404 or 405
- Flask URL Parameters with % Are Not Properly Handled
- flask get argument with special character and white spaces in it using URL
- How to retain special characters in url parameters for flask?
- How to replace spaces in URL having path parameter, with a hyphen or an underscore
- How to pass a parameter with *slashes* in the url?
- How to handle special characters in URL with Flask
- disabling character escaping in Flask's url_for function
- flask route variable alters uriencoded string
- Dealing with spaces in Flask url creation