zlacker

code lacks context sensitive escaping

  api_path = base_url + urllib.parse.urlencode({
    'action': action,
    'format': letThisBeVariable,
    ...
    'gscoord': str(latitude.value) + '|' + str(longitude.value)
  })

see: https://docs.python.org/3/library/urllib.parse.html#urllib.p...

Mantra: when inserting data into a context (like an url) escape the data for that context.