Variables are Escaped in Query, but Nowhere Else

[da3dsoul]

The query strings are handled by the Python urllib urlencode(sequence) -> string and parse_qs(string) -> list(tuple). These handle escaping for you. If you pass a variable to args or kwargs with the intention of them not going into the query, though, they are not escaped.

make_path():
args = tuple(quote_plus(str(a), '') for a in args)
...
url_kwargs = dict(((k, quote_plus(str(v), '')) for k, v in list(kwargs.items()) if k in self._keywords))

will escape in a place that reflects url_for and other important places, and

match():
...
return dict((k, unquote_plus(v)) for k, v in match.groupdict().items()) if match else None

will unescape it.

The important thing to note is that, theoretically, this could be a breaking change for some people, if they are expecting to handle that themselves. In most, if not all, cases, it should be fine, but it's better to bring it up here rather than put it in a PR to never see the light of day.

[dagwieers]

It helps if you provide an example input, and what kind of input is incorrectly parsed.

[da3dsoul]

Whatever needs escaping isn't. That applies to strings that:

• have spaces
• have Unicode
• have URL reserved characters
• have quotes or apostrophes Etc.

The easy way is to just use url_for and route to something like /drugs/are/<a> then give it anything like the above, let alone a full path.