wiki: URL-escape constructed API call URLs.

r2/r2/templates/wikipagesettings.html

@@ -23,6 +23,10 @@
 <%namespace file="printablebuttons.html" import="ynbutton" />
 <%namespace name="utils" file="utils.html"/>
 
+<%!
+   from urllib import quote
+%>
+
 <div class="fancy-settings">
     %if thing.show_settings:
         <form id="pagesettings" method="post">
@@ -59,7 +63,7 @@
             <li>
                 ${user}
                 &mdash;&nbsp;
-                ${ynbutton(_("(remove)"), _("done"), "../r/%s/wiki/api/alloweditor/del/%s/%s" % (c.site.name, user, c.page), post_callback="$.refresh")}
+                ${ynbutton(_("(remove)"), _("done"), quote("../r/%s/wiki/api/alloweditor/del/%s/%s" % (c.site.name, user, c.page)), post_callback="$.refresh")}
             </li>
         %endfor
         </ul>

r2/r2/templates/wikirevision.html

@@ -23,7 +23,11 @@
 <%namespace file="utils.html" import="timestamp"/>
 <%namespace file="printablebuttons.html" import="ynbutton" />
 
-<tr class="revision  
+<%!
+   from urllib import quote
+%>
+
+<tr class="revision
     %if thing._hidden:
        hidden
     %endif
@@ -63,7 +67,7 @@
             <a href="#" class="revision_hide" data-revision="${thing._id}" data-page="${thing.page}">hide</a>
         </td>
         <td class="wiki_revert" style="white-space: nowrap;">
-            ${ynbutton(_("revert here"), _("done"), "..%s/api/revert/%s/%s" % (c.wiki_base_url, thing._id, thing.page), post_callback="$.refresh")}
+            ${ynbutton(_("revert here"), _("done"), quote("..%s/api/revert/%s/%s" % (c.wiki_base_url, thing._id, thing.page)), post_callback="$.refresh")}
         </td>
     %endif