[seanhunter]

I wonder whether my dudes cut and pasted from the same cursed stack overflow snippet as your dudes had.

The strings here included user input too. Worse still, the situation was the company was offering a b2b service and the string didn’t just come from user input by an employee of the company they came from arbitrary customers of the customers of the company.

[graemep]

In my case the data was visible in the URL - they had chosen to not store use session specific data in the DB or cookie or anything sane like that, but to pass it to the page in the URL path by converting a dict to a string/

Git blame shows the same thing done in two different places and the line edited by at least two different people.