Values are not URL encoded

[bladeoflight16]

Flask's url_for function encodes input to be URL safe. For example, url_for('root', someparam='5 & 6 & more') gives back /?someparam=5+%26+6+%26+more.

JSGlue doesn't escape the input at all. Flask.url_for("root", {"someparam": "5 & 6 & more"}) gives back /?someparam=5 & 6 & more.

Here's a fully working demo script:

import flask
from flask_jsglue import JSGlue

app = flask.Flask(__name__)
jsglue = JSGlue(app)
app.debug = True


home_template = u'''
<head>
    {{ JSGlue.include() }}
</head>
<body>
    Flask url: <code>{{ url_for('root', someparam='5 & 6 & more') }}</code>
    <br/>
    JSGlue url: <code id="jsglueurl"></code>

    <script>
        var jsglueUrl = Flask.url_for("root", {"someparam": "5 & 6 & more"});
        document.getElementById("jsglueurl").innerHTML = jsglueUrl;
    </script>
</body>
'''


@app.route("/")
def root():
    return flask.render_template_string(home_template)

if __name__ == "__main__":
    app.run()

You'll see the results on the page.

[bladeoflight16]

Fixing this may be a breaking change, so it might make sense to make this some kind of setting or argument.

[italomaia]

If safe is expected and you get "unsafe", to me, that's a bug. And probably, not a hard one to fix. Can't think of evil side-effects. @stewartpark what do you think?

[stewartpark]

I agree, @italomaia. I think this could be a potential problem and we should replicate whatever Flask's url_for does as much as possible :)