I don't really care which question is the primary one but, it doesn't harm to go back to the beginning point: Currently, the way code is written, [id] in a URL will be replaced by the created/modified id of the record, ONLY IF it is relative path (No leading '/', no leading 'http:'). The side effect is that, one obvious usage: next=URL(...) doesn't work, which is not desired IMHO.
On Sep24, 0:32am, Yarko Tymciurak <[email protected]> wrote: > and the point here: currently, the way code is written, [id] in a URL will > be replaced by the created/modified id or the record EXCEPT if it is > relative, or absolute (e.g. ONLY '/' leading URL paths will have [id] set, > as shown in the manual). > > The question of "what is safe; what isn't" isn't the primary issue here - > it is the behavior (advertised/expected; actual; what is really desired) > for this "[id]" replacement. > > Let's get to that first, shall we? > > THEN we can discuss the various path contexts.... > > > > On Tue, Sep 22, 2009 at 11:30 AM, Iceberg <[email protected]> wrote: > > > Sorry, still don't get the point. In my understanding: > > 1. URLs that starts with http: or ftp: etc are certainly external URL. > > 2. URLs that starts with / are absolute path of current host > > 3. URLs other than above are relative path of current host > > so which one do you consider dangerous and could you please give an > > example? > > > On Sep22, 5:08am, mdipierro <[email protected]> wrote: > > > because in web2py request.args are optional I think it is dangerous to > > > have relative URLs that do not start with '/'. > > > web2py assumes that if a url does not start with '/' that is an > > > extenal URL (starts with http:, ftp: etc.) > > > > On Sep 21, 11:20 am, Yarko Tymciurak <[email protected]> wrote: > > > > > sounds like this needs to be straightened out; probably deserves some > > > > discussion (as Iceberg suggests)... > > > > > Massimo - can you add your thoughts to this? > > > > > On Sun, Sep 20, 2009 at 4:09 AM, Iceberg <[email protected]> wrote: > > > > > Yeah, I met same problem before. It is all because web2py's gluon/ > > > > > tools.py does the "[id]" magic ONLY for a url NOT begins with the > > '/'. > > > > > The source code has many snippets like this. > > > > > > if next and not next[0] == '/' and next[:4] != 'http': > > > > > next = self.url(next.replace('[id]', str > > > > > (form.vars.id))) > > > > > > I don't know the reason for requiring a leading '/'. Perhaps Massimo > > > > > will tell us more. > > > > > > Sincerely, > > > > > Iceberg --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
