# HG changeset patch
# User Paul Boddie <paul@boddie.org.uk>
# Date 1311458538 -7200
# Node ID 29ae49e06183a0db838c8d98704277bc140a15db
# Parent  a32d9a98f6310ec54c0a78438e35371e3c71ce1d
Added URL parameter quoting.

diff -r a32d9a98f631 -r 29ae49e06183 EventAggregatorSupport.py
--- a/EventAggregatorSupport.py	Sat Jul 23 19:04:54 2011 +0200
+++ b/EventAggregatorSupport.py	Sun Jul 24 00:02:18 2011 +0200
@@ -1161,9 +1161,11 @@
                 continue
 
             # Parameterise the URL.
-
-            url = url.replace("{start}", calendar_start and str(calendar_start) or "")
-            url = url.replace("{end}", calendar_end and str(calendar_end) or "")
+            # Where other parameters are used, care must be taken to encode them
+            # properly.
+
+            url = url.replace("{start}", urllib.quote_plus(calendar_start and str(calendar_start) or ""))
+            url = url.replace("{end}", urllib.quote_plus(calendar_end and str(calendar_end) or ""))
 
             # Get a parser.
 
diff -r a32d9a98f631 -r 29ae49e06183 TO_DO.txt
--- a/TO_DO.txt	Sat Jul 23 19:04:54 2011 +0200
+++ b/TO_DO.txt	Sun Jul 24 00:02:18 2011 +0200
@@ -11,9 +11,6 @@
 GriCal and External Aggregation
 -------------------------------
 
-Make URL parameterisation robust enough to prevent arbitrary URL fragment
-insertion.
-
 Support caching of remote event data.
 
 Support navigation where the full extent of external events cannot be