Sorry, still don't get the point. In my understanding:
1. URLs that starts with http: or ftp: etc are certainly external URL.
2. URLs that starts with / are absolute path of current host
3. URLs other than above are relative path of current host
so which one do you consider dangerous and could you please give an
example?
On Sep22, 5:08am, mdipierro <mdipie...@cs.depaul.edu> wrote:
> because in web2py request.args are optional I think it is dangerous to
> have relative URLs that do not start with '/'.
> web2py assumes that if a url does not start with '/' that is an
> extenal URL (starts with http:, ftp: etc.)
>
> On Sep 21, 11:20 am, Yarko Tymciurak <yark...@gmail.com> wrote:
>
>
>
> > sounds like this needs to be straightened out; probably deserves some
> > discussion (as Iceberg suggests)...
>
> > Massimo - can you add your thoughts to this?
>
> > On Sun, Sep 20, 2009 at 4:09 AM, Iceberg <iceb...@21cn.com> wrote:
>
> > > On Sep20, 4:28pm, szimszon <szims...@gmail.com> wrote:
> > > > I'm a bit puzzled :(
>
> > > > I modified the code:
>
> > > > n=str(URL(r=request,f='sablonsor_jog')+'/[id]')
> > > > sablon_sor=crud.create(db.oklevel_sablon,next=n)
>
> > > > but it's not working. Type of 'n' is 'str'.
>
> > > > And the
>
> > > > n='/borverseny/adatok/sablonsor_jog'+'/[id]'
>
> > > > doesn't work either.
>
> > > > But
>
> > > > n='borverseny/adatok/sablonsor_jog'+'/[id]'
>
> > > > works. So I think the point is that if the url string begins with the
> > > > '/' then the replace doesn't work. If the url begins not with '/' than
> > > > everything is working right.
>
> > > Yeah, I met same problem before. It is all because web2py's gluon/
> > > tools.py does the "[id]" magic ONLY for a url NOT begins with the '/'.
> > > The source code has many snippets like this.
>
> > > if next and not next[0] == '/' and next[:4] != 'http':
> > > next = self.url(next.replace('[id]', str
> > > (form.vars.id)))
>
> > > I don't know the reason for requiring a leading '/'. Perhaps Massimo
> > > will tell us more.
>
> > > Sincerely,
> > > Iceberg
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
