Fix bug with percentage redirects, close #1650

datasette/utils/__init__.py

@@ -10,6 +10,7 @@ import markupsafe
 import mergedeep
 import os
 import re
+import secrets
 import shlex
 import tempfile
 import typing
@@ -1172,4 +1173,8 @@ def dash_encode(s: str) -> str:
 @documented
 def dash_decode(s: str) -> str:
     "Decodes a dash-encoded string, so ``-2Ffoo-2Fbar`` -> ``/foo/bar``"
-    return urllib.parse.unquote(s.replace("-", "%"))
+    # Avoid accidentally decoding a %2f style sequence
+    temp = secrets.token_hex(16)
+    s = s.replace("%", temp)
+    decoded = urllib.parse.unquote(s.replace("-", "%"))
+    return decoded.replace(temp, "%")

tests/test_html.py

@@ -961,6 +961,10 @@ def test_no_alternate_url_json(app_client, path):
             "/fivethirtyeight/twitter-ratio%2Fsenators",
             "/fivethirtyeight/twitter-2Dratio-2Fsenators",
         ),
+        (
+            "/fixtures/table%2Fwith%2Fslashes",
+            "/fixtures/table-2Fwith-2Fslashes",
+        ),
         # query string should be preserved
         ("/foo/bar%2Fbaz?id=5", "/foo/bar-2Fbaz?id=5"),
     ),