On Aug 18, 2011, at 6:09 AM, peter wrote: > If one enters a url for web2py > > .../welcome/default/index/a%20b > > then the URL works fine (%20 is an encoded space) > > If one puts > > .../welcome/default/index/a%27b > > then one gets an 'Invalid request'. The %27 is an encoded apostrophe. > > So web2y is not liking this encoded apostrophe in what it sees as the > first argument. Why does it not like %27 and is there anything simple > way round this?
By default, web2py is a little conservative in its validation of incoming URLs. The parametric router is more liberal, adhering more closely to the RFCs. However, as others have pointed out, the URL is a primary attack vector for some malware. If you're going to be accepting special characters in your args & vars, be sure you understand the consequences for SQL injection and other attacks, and guard against them.
