From 04bd84786d39b8a17620dfb3b354599d8d95417b Mon Sep 17 00:00:00 2001 From: Markus Holtermann Date: Sat, 4 Oct 2014 19:49:58 +0200 Subject: [PATCH] Fixed #23602 -- Add comment on get_absolute_url regarding user input --- docs/ref/models/instances.txt | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/ref/models/instances.txt b/docs/ref/models/instances.txt index f5147090b4..aa38081074 100644 --- a/docs/ref/models/instances.txt +++ b/docs/ref/models/instances.txt @@ -660,6 +660,19 @@ framework `, use ``get_absolute_url()`` when it is defined. If it makes sense for your model's instances to each have a unique URL, you should define ``get_absolute_url()``. +.. warning:: + + You should avoid building the URL from un-validated user input, in order to + reduce possibilities of link or redirect poisoning:: + + def get_absolute_url(self): + return '/%s/' % self.name + + If ``self.name`` is ``'/example.com'`` this returns ``'//example.com/'`` + which, in turn, is a valid schema relative URL but not the expected + ``'/%2Fexample.com/'``. + + It's good practice to use ``get_absolute_url()`` in templates, instead of hard-coding your objects' URLs. For example, this template code is bad: