Escape slashes in query strings. This fixes #445
diff --git a/CHANGES b/CHANGES
index cfe4c43..ba820cc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -31,6 +31,8 @@
(`code_generator_class` and `context_class`) (pull request ``#404``).
- added support for context/environment/evalctx decorator functions on
the finalize callback of the environment.
+- escape query strings for urlencode properly. Previously slashes were not
+ escaped in that place.
Version 2.7.3
-------------
diff --git a/jinja2/filters.py b/jinja2/filters.py
index 0fb5a5a..4b44485 100644
--- a/jinja2/filters.py
+++ b/jinja2/filters.py
@@ -94,7 +94,8 @@
if itemiter is None:
return unicode_urlencode(value)
return u'&'.join(unicode_urlencode(k) + '=' +
- unicode_urlencode(v) for k, v in itemiter)
+ unicode_urlencode(v, for_qs=True)
+ for k, v in itemiter)
@evalcontextfilter
diff --git a/jinja2/utils.py b/jinja2/utils.py
index e12255f..cdd4cd3 100644
--- a/jinja2/utils.py
+++ b/jinja2/utils.py
@@ -283,7 +283,7 @@
return Markup(u'\n'.join(u'<p>%s</p>' % escape(x) for x in result))
-def unicode_urlencode(obj, charset='utf-8'):
+def unicode_urlencode(obj, charset='utf-8', for_qs=False):
"""URL escapes a single bytestring or unicode string with the
given charset if applicable to URL safe quoting under all rules
that need to be considered under all supported Python versions.
@@ -295,7 +295,11 @@
obj = text_type(obj)
if isinstance(obj, text_type):
obj = obj.encode(charset)
- return text_type(url_quote(obj))
+ safe = for_qs and b'' or b'/'
+ rv = text_type(url_quote(obj, safe))
+ if for_qs:
+ rv = rv.replace('%20', '+')
+ return rv
class LRUCache(object):