tags:

views:

56

answers:

1

While writing code, it is pretty common to request a page with an appended "next" query string argument.

For instance, in the following template code next points back to the page the user is on:

<a href="{%url some_view%}?next={{request.get_full_path}}

Here I am following a convention: if next features something that I'm not in control of, such as search keywords a user has typed, I urlencode it. Otherwise I don't.

<a href="{%url some_view%}?next={{request.get_full_path|urlencode}}

Instead of judging for each next argument whether it would be user provided or not, would it be convenient if I urlencode all next strings? Will there be side effects I don't see at the moment?

+2  A: 

To the best of my knowledge anything that's inside of a url should always be urlencoded.

The only gotcha is that you need to make sure to reverse the encoding when you read in the arguments. It's very possible that django already does this for you. I'd need to consult the documentation and/or code to confirm though.

Bryan McLemore
S.Lott
Well in context of his question though, the next argument can just be checked against a list of valid domains or require it to be relative.
Bryan McLemore