Django's is_safe_url() bundled as a standalone package.
Project description
is_safe_url()
Redirecting a visitor to another URL is common. It's also common that the
redirect target is controllable by a visitor. One can often find a ?next or
?on_complete GET parameter with the redirect target.
While this form of redirection is convenient, blindly redirecting a visitor to the given target can easily lead to Unvalidated Redirect and Forwards. Thus, one needs to check if the redirect target is "safe" before redirecting a visitor.
The Django web framework has a utility function
is_safe_url() that attempts to validate a given target against a set of valid
hosts. This package unbundles the function and easily allows other projects to
use it.
>>> from is_safe_url import is_safe_url
>>> is_safe_url("/redirect/target", {"example.com", "www.example.com"})
True
>>> is_safe_url("//example.com/redirect/target", {"example.com", "www.example.com"})
True
>>> is_safe_url("//evil.net/redirect/target", {"example.com"})
False
>>> is_safe_url("http://example.com/redirect/target", {"example.com"})
True
>>> is_safe_url("http://example.com/redirect/target", {"example.com"}, require_https=True)
False
>>> is_safe_url("https://example.com/redirect/target", {"example.com"}, require_https=True)
True
Security
Please report security issues privately to the Django security team or Markus Holtermann.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for is_safe_url-1.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 0d55e554974039deec7f9a395aab1e488abac811006d17f930607c43e6d3948e |
|
| MD5 | e2f9918fb703387cd591f977a8bccaa3 |
|
| BLAKE2b-256 | 7ac340c363bc4c3d0ddcda3489239ba64752b8c18cb6493e058f8f1b73154925 |
