Email Templates and the full website URL

100 views
Skip to first unread message

Vibhu Rishi

unread,
Nov 29, 2013, 5:01:27 AM11/29/13
to django...@googlegroups.com
hi,

I have a setup where I have a project details page, and I can do a "send email" which should send the email with the URL.

Email is working fine.

The problem is that i am getting a relative url in the tempalte

I have the following in the html email template :
<A href="{% url "project.views.details" project.id %}">{{ project }}</a>

This give me a URL in the email as /projects/1 ( 1 being the project id)

How do i prepend the url of the server here ? e.g. I want this to be http://localhost:8000/projects/1

Vibhu

--
Simplicity is the ultimate sophistication. - Leonardo da Vinci
Life is really simple, but we insist on making it complicated. - Confucius

Rafael E. Ferrero

unread,
Nov 29, 2013, 5:56:43 AM11/29/13
to django...@googlegroups.com


2013/11/29 Vibhu Rishi <vibhu...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAPiONwn6cHwi51fJ63oFUOLof2QmFqsSeqz2VeOM_Jxk%2BaUYGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.



--
Rafael E. Ferrero

Rafael E. Ferrero

unread,
Nov 29, 2013, 6:04:48 AM11/29/13
to django...@googlegroups.com

Vibhu Rishi

unread,
Nov 29, 2013, 6:09:02 AM11/29/13
to django...@googlegroups.com
Thanks for the links. I had done the google searches and gone through them, but they seemed to me a lot of work to get something simple.

I finally did the following. Any comments welcome if this is not a good way to do.

In my view, I pass a context object of the request to the email template. I need the request as i also want to put in the user's name.

in the email template now I changed it to :
<A href="http://{{request.get_get_host}}{% url "project.views.details" project.id %}">{{ project }}</a>

This seems to be working and quite simple too !

Regards,
Vibhu





For more options, visit https://groups.google.com/groups/opt_out.



--

Rafael E. Ferrero

unread,
Nov 29, 2013, 6:55:50 AM11/29/13
to django...@googlegroups.com
Good work!!


2013/11/29 Vibhu Rishi <vibhu...@gmail.com>

For more options, visit https://groups.google.com/groups/opt_out.



--
Rafael E. Ferrero

Joseph Mutumi

unread,
Nov 29, 2013, 9:09:03 AM11/29/13
to django...@googlegroups.com
That could work but isn't it a bit insecure? I think it will be susceptible to a header injection(http://en.wikipedia.org/wiki/HTTP_header_injection). I would rather create a setting with the domain name in settings.py and then call it from the template or write a custom template tag.


Felipe Coelho

unread,
Nov 29, 2013, 9:37:46 AM11/29/13
to Django users
2013/11/29 Joseph Mutumi <jjmu...@gmail.com>

That could work but isn't it a bit insecure? I think it will be susceptible to a header injection(http://en.wikipedia.org/wiki/HTTP_header_injection). I would rather create a setting with the domain name in settings.py and then call it from the template or write a custom template tag.

Check Django's ALLOWED_HOSTS [1] setting, it is supposed to account for this, and Django 1.5+ requires you to explicitly set it in order to run a site with DEBUG=False

Tom Evans

unread,
Nov 29, 2013, 9:39:46 AM11/29/13
to django...@googlegroups.com
On Fri, Nov 29, 2013 at 2:09 PM, Joseph Mutumi <jjmu...@gmail.com> wrote:
> That could work but isn't it a bit insecure? I think it will be susceptible
> to a header injection(http://en.wikipedia.org/wiki/HTTP_header_injection). I
> would rather create a setting with the domain name in settings.py and then
> call it from the template or write a custom template tag.

Possibly; if you are using vhosts at all, then the host header is hard
to spoof, as in order to be routed to your application, the request
must already have the appropriate header.

If you don't use vhosts, then it is in any case wise to apply host
name canonicalisation to your website - your site may respond to
'www.foo.com' and 'foo.com', but requests for 'foo.com/blah' are
immediately redirected to 'www.foo.com/blah'. This will aid with SEO
and provide absolute, consistent URLs.

Cheers

Tom

Fred Stluka

unread,
Nov 30, 2013, 6:59:10 AM11/30/13
to django...@googlegroups.com
I had the same problem.  Wrote this:

def get_web_server_base_url(request, settings_override_name=None):
    # Allow the value in the settings file to override any computed value.
    url = None
    if settings_override_name:
        url = getattr(settings, settings_override_name, None)
    if not url:
        protocol = request.is_secure() and 'https' or 'http'
        host = request.get_host()
        url = "{0}://{1}".format(protocol, host)
    return url

I didn't know about Site or RequestSite at the time.  Perhaps I could
have used them, but:

1. I wanted the protocol (http, or https) to be correct also.  Would
    RequestSite have done that for me?

2. I wanted to be able to override the hostname with the primary
    name of the server (via an entry in settings.py) even if the request
    was sent to a secondary name or the IP address of the server.
    I suppose Site would have allowed this, via storing the name in
    the DB, but that seems like more work than a settings.py file,
    especially since I already have convenient mechanism to manage
    different settings.py files when deployed on different servers.

Thoughts?

--Fred
Fred Stluka -- mailto:fr...@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.

Vibhu Rishi

unread,
Dec 2, 2013, 8:05:08 AM12/2/13
to django...@googlegroups.com
Not sure how the header injection will work in this case ? 

As I see it, I am using this in the email text for the email body. This is generated and sent in a view function I have. So, how will the http header get inserted in this flow ?

Vibhu




For more options, visit https://groups.google.com/groups/opt_out.

Joseph Mutumi

unread,
Dec 3, 2013, 9:24:32 AM12/3/13
to django...@googlegroups.com
Its not that easy to do but instead of generating the link say:
http://myrealsite.com/admin/change_password

If HTTP_HOST is somehow messed up say by Man In the Browser, in the
email, you could get something like:

http://hackersite.com/admin/change_password

If the user isn't paying attention, they can end up giving credentials
to third party!
Its just a corner case, but hackers look for corner cases!
>>> https://groups.google.com/d/msgid/django-users/CAJJc_8WiwQjgNPKX4RZ0eQu%3DkYz%2BH51BywB0rQMVJ4u8XW8hbw%40mail.gmail.com
>>> .
>>>
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users...@googlegroups.com.
>> To post to this group, send email to django...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/CAN5idp9_g88SHrHBN2YZQVA%2BxbGFJ-F6Ac2PvxD3uLF7Dqa9_w%40mail.gmail.com
>> .
>>
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
> Simplicity is the ultimate sophistication. - Leonardo da Vinci
> Life is really simple, but we insist on making it complicated. - Confucius
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAPiONwmsOxsVpxW8edRhWBoSifRpwgvG0sJ5XqktW0XhSBVRRA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages