2

I'm trying to pass a user supplied string as a Flask URL parameter. url_for(func_name, param="string with spaces") or similar generates a URL with spaces.

If the user enter a string with spaces the generated url has spaces it seems to work.

Also if I enter a URL with %20 it seems to redirect to a url with spaces. I thought URLs with spaces were a bad idea.

How do I get it to work right (url_for and redirection)? Or should I just accept it?

P.S. Is passing a user supplied string as a parameter safe? If not how should I sanitize the user input string?

Improve this question
1
  • This is your browser showing you spaces; everything is working as intended. Commented Feb 18, 2014 at 11:12

1 Answer 1

Reset to default
2

No, Flask generates URLs properly URL encoded; demoing with an existing application:

>>> with app.test_request_context('/'):
...     print url_for('core.city', city='new york')
... 
/new%20york

Your browser on the other hand may elect to show such URLs decoded for ease of reading.

url_for() quotes input to be URL-safe; encoded URLs cannot contain values that could be interpreted as HTML, so you are safe there as far as user-supplied values are concerned.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I just tries copy/paste and it looks like you are right. OTOH when I add random junk to the end my 404 page which displays the request.url has space not %20 s. Weird.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.