Plugin/Auth/Extensible.pm _default_login_page will call uri_escape() multiple times for return_url

[cc-skelos]

Granted almost everyone will replace the default login page, this bug is disconcerting when starting to learn authentication and session management for Dancer2.

Once a route is added requiring a role, the user is referred to /login. If an incorrect name/password combination is given the user is referred back to /login agin but uri_escape() is called on request_url again, breaking it in the hidden field although it still looks OK in the browser location bar.

/login, first time: <input type="hidden" name="return_url" value="%2Freport">
/login, second time: <input type="hidden" name="return_url" value="%252Freport">

I'm not nearly sure what the fix should be. Trusting user input? Ah, no. But blindly escaping things twice causes problems too, as when the user supplies a correct username and password they are no longer routed back to the route they started with.

Edit: use sufficient HTML markup to see all the problem report.

[SysPete]

Thanks for the bug report @cc-skelos - good catch! I'll have a look at this over the weekend.