-
- GitHub
- GitLab
- Bitbucket
-
By logging in you accept
our terms of service
and privacy policy
Django's is_safe_url() bundled as a standalone package.
pip install is-safe-url==1.0
is_safe_url()Redirecting a visitor to another URL is common. It's also common that the
redirect target is controllable by a visitor. One can often find a ?next or
?on_complete GET parameter with the redirect target.
While this form of redirection is convenient, blindly redirecting a visitor to the given target can easily lead to Unvalidated Redirect and Forwards. Thus, one needs to check if the redirect target is "safe" before redirecting a visitor.
The Django web framework has a utility function
is_safe_url() that attempts to validate a given target against a set of valid
hosts. This package unbundles the function and easily allows other projects to
use it.
>>> from is_safe_url import is_safe_url
>>> is_safe_url("/redirect/target", {"example.com", "www.example.com"})
True
>>> is_safe_url("//example.com/redirect/target", {"example.com", "www.example.com"})
True
>>> is_safe_url("//evil.net/redirect/target", {"example.com"})
False
>>> is_safe_url("http://example.com/redirect/target", {"example.com"})
True
>>> is_safe_url("http://example.com/redirect/target", {"example.com"}, require_https=True)
False
>>> is_safe_url("https://example.com/redirect/target", {"example.com"}, require_https=True)
True
Please report security issues privately to the Django security team or Markus Holtermann.
The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.
Learn more →Something wrong with this page? Make a suggestion
Export .ABOUT file for this package
Last synced: 2021-02-16 17:34:30 UTC
Login to resync this project