web2py restricts what chars can be in the args to avoid problems. For
example # cannot be in the args because it is used to separate the hash.
Also often the args are used to access files or other resources and we want
to protect against possible insecure direct object reference attacks
(https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References)
On Wednesday, 27 July 2016 06:32:59 UTC-5, Mirek Zvolský wrote:
>
> If I use
> URL('action', args=("a#b", "a:b"))
>
> I will receive
> request.args == ['a_b', 'a_b']
>
> So I need to use something like base64.b32encode() for each one item from
> args.
>
>
> Probably this is "by design" behaviour,
> but I'm curious why is it so?
>
> urllib.quote / .unqoute returns the original value a#b, a:b
>
>
> [web2py 2.14.5]
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
