Use CSV escaping for categories in URLs.

Categories could contain commas, so splitting on comma is not good enough. Let’s escape the fields as if it’s a line in CSV. Fixes #2166.
author: Matthew Somerville <matthew-github@dracos.co.uk> 2018-06-21 10:29:02 +0100
committer: Matthew Somerville <matthew-github@dracos.co.uk> 2018-06-21 17:27:25 +0100
commit: 63f8ca8d3fe1e3b52e079e41b29c85d14376f261 (patch)
tree: 8449714aadfaf13c3a2ee0b14a86c710319f4f92 /perllib/FixMyStreet/App.pm
parent: e1853898c154356bf0af7ef021f9b1c519e8340b (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm
index 82fcce508..160d2851e 100644
--- a/perllib/FixMyStreet/App.pm
+++ b/perllib/FixMyStreet/App.pm
@@ -14,6 +14,7 @@ use Utils;
 
 use Path::Tiny 'path';
 use Try::Tiny;
+use Text::CSV;
 use URI;
 use URI::QueryParam;
 
@@ -517,7 +518,11 @@ sub get_param_list {
     my $value = $c->req->params->{$param};
     return () unless defined $value;
     my @value = ref $value ? @$value : ($value);
-    return map { split /,/, $_ } @value if $allow_commas;
+    if ($allow_commas) {
+        my $csv = Text::CSV->new;
+        $csv->parse(join ',', @value);
+        @value = $csv->fields;
+    }
     return @value;
 }
author	Matthew Somerville <matthew-github@dracos.co.uk>	2018-06-21 10:29:02 +0100
committer	Matthew Somerville <matthew-github@dracos.co.uk>	2018-06-21 17:27:25 +0100
commit	63f8ca8d3fe1e3b52e079e41b29c85d14376f261 (patch)
tree	8449714aadfaf13c3a2ee0b14a86c710319f4f92 /perllib/FixMyStreet/App.pm
parent	e1853898c154356bf0af7ef021f9b1c519e8340b (diff)