flask url parameters with spaces generates urls with spaces

Question

I'm trying to pass a user supplied string as a Flask URL parameter. url_for(func_name, param="string with spaces") or similar generates a URL with spaces.

If the user enter a string with spaces the generated url has spaces it seems to work.

Also if I enter a URL with %20 it seems to redirect to a url with spaces. I thought URLs with spaces were a bad idea.

How do I get it to work right (url_for and redirection)? Or should I just accept it?

P.S. Is passing a user supplied string as a parameter safe? If not how should I sanitize the user input string?

This is your browser showing you spaces; everything is working as intended. — Martijn Pieters, Feb 18 '14 at 11:12

Martijn Pieters · Accepted Answer · 2014-02-18T12:06:07.557

2

No, Flask generates URLs properly URL encoded; demoing with an existing application:

>>> with app.test_request_context('/'):
...     print url_for('core.city', city='new york')
... 
/new%20york

Your browser on the other hand may elect to show such URLs decoded for ease of reading.

url_for() quotes input to be URL-safe; encoded URLs cannot contain values that could be interpreted as HTML, so you are safe there as far as user-supplied values are concerned.

edited Feb 18 '14 at 12:06

answered Feb 18 '14 at 11:17

Martijn Pieters

1,048,767
296
4,058
3,343

I just tries copy/paste and it looks like you are right. OTOH when I add random junk to the end my 404 page which displays the request.url has space not %20 s. Weird. – Roman A. Taycher Feb 18 '14 at 11:27

flask url parameters with spaces generates urls with spaces

1 Answers1