Update safe parameters passed into quote_plus.

ThePalaceProject · Oct 2, 2023 · 5d8c092 · 5d8c092
1 parent acf2308
commit 5d8c092
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/api/admin/controller/view.py b/api/admin/controller/view.py
@@ -26,10 +26,12 @@ def __call__(self, collection, book, path=None):
                 redirect_url = flask.request.url
                 if collection:
                     redirect_url = redirect_url.replace(
-                        collection, quote_plus(collection)
+                        collection, quote_plus(collection, safe="()")
                     )
                 if book:
-                    redirect_url = redirect_url.replace(book, quote_plus(book))
+                    redirect_url = redirect_url.replace(
+                        book, quote_plus(book, safe="()")
+                    )
                 return redirect(
                     url_for("admin_sign_in", redirect=redirect_url, _external=True)
                 )

diff --git a/tests/api/test_controller_opdsfeed.py b/tests/api/test_controller_opdsfeed.py
@@ -148,7 +148,9 @@ def test_feed(
                 last_item.sort_author,
                 last_item.id,
             ]
-            expect = "key=%s" % quote_plus(json.dumps(expected_pagination_key))
+            expect = "key=%s" % quote_plus(
+                json.dumps(expected_pagination_key), safe=","
+            )
             assert expect in next_link
 
             search_link = by_rel["search"]