safeURL should not substitute value by empty string

5 years ago

Milo
Nette Core | 1149
+
0
-

When I was writing app on Windows, I passed a full file path like `D:\Web\application' by

<a href='?path={$path}'>

and it was dropped by safeURL, so result was

<a href='?path='>

I don't want to argue, if windows paths should be allowed by safeURL, or not (maybe yes, maybe not). I want to discuss about empty value.

At first moment I was confused where the path dissapeared, and I was searching why is $path empty? I think, it would be more friendly result to be:

<a href='?path=error:Sanitized by safeURL helper'>

This navigates newbies to find the topic on forum.

What do you think?

Last edited by Milo (2014-01-05 22:20)

5 years ago

David Grudl
Nette Core | 6849
+
0
-

I think the problem is that safeUrl should be called only when there are no characters before variable.

5 years ago

Milo
Nette Core | 1149
+
0
-

@David Grudl True. error: can be in debug mode only. When the link just disappears is really confusing.

5 years ago

Eda
Member | 212
+
0
-

Agree. A few day ago I spent some time on finding similar mistake.
Some kind of warning instead of empty string would be nice.

5 years ago

David Grudl
Nette Core | 6849
+
0
-

Btw, <a href='?path={$path}'> is wrong, you should use <a href='?path={$path|url}'> and it will work.

5 years ago

Milo
Nette Core | 1149
+
0
-

Oh, that's true!