Ensure unvalidated user strings don't end up in URLs

[tpoliaw]

Badly formed user strings could affect data returned from tiled breaking deserialization and data handling. Hopefully this would only break or affect the request being made but could potentially allow users to circumvent access checks.

Originally posted by @tpoliaw in #36 (comment)

[abbiemery]

As part of this we should change:

let url = self.address.join(endpoint)?;

to

let mut url = self.address.clone();
url.set_path(endpoint);