You are correct of course, but to quote the book: "web2py includes two distinct URL rewrite systems: an easy-to-use parameter-based system for most use cases, and a flexible pattern-based system for more complex cases."
You have to use the pattern based system to avoid the vulnerability, and I bet most people don't. Anyway, thanks for your work-around. Prompted by Jonathan I will look into using the pattern based system and remove the temporary fix. --