Email Templates and the full website URL
92 views
Skip to first unread message
Vibhu Rishi
Nov 29, 2013, 5:01:27 AM11/29/13
to django...@googlegroups.com
hi,
I have a setup where I have a project details page, and I can do a "send email" which should send the email with the URL.
Email is working fine. I have a setup where I have a project details page, and I can do a "send email" which should send the email with the URL.
<A href="{% url "project.views.details" project.id %}">{{ project }}</a>
This give me a URL in the email as /projects/1 ( 1 being the project id)
How do i prepend the url of the server here ? e.g. I want this to be http://localhost:8000/projects/1
Vibhu
--
Simplicity is the ultimate sophistication. - Leonardo da Vinci
Life is really simple, but we insist on making it complicated. - Confucius
Rafael E. Ferrero
Nov 29, 2013, 5:56:43 AM11/29/13
to django...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAPiONwn6cHwi51fJ63oFUOLof2QmFqsSeqz2VeOM_Jxk%2BaUYGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Rafael E. Ferrero
Rafael E. Ferrero
Nov 29, 2013, 6:04:48 AM11/29/13
to django...@googlegroups.com
and this can help too http://stackoverflow.com/questions/2119342/python-url-template-tags-giving-only-part-of-a-absolute-url-must-be-a-lack-o
--
Rafael E. Ferrero
Vibhu Rishi
Nov 29, 2013, 6:09:02 AM11/29/13
to django...@googlegroups.com
Thanks for the links. I had done the google searches and gone through them, but they seemed to me a lot of work to get something simple.
I finally did the following. Any comments welcome if this is not a good way to do. In my view, I pass a context object of the request to the email template. I need the request as i also want to put in the user's name.
<A href="http://{{request.get_get_host}}{% url "project.views.details" project.id %}">{{ project }}</a>
Regards,
Vibhu
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAJJc_8WWUyfwYd1cjxNzvm0xe5LjUTNDjPGDnYaaxE9w3B1C-g%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Rafael E. Ferrero
Nov 29, 2013, 6:55:50 AM11/29/13
to django...@googlegroups.com
Good work!!
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAPiONw%3D7Uh9uReNyCCzhGb%3D09WHCzY9rSPp9mYn_eJRsHwmNpw%40mail.gmail.com.
--
Rafael E. Ferrero
Joseph Mutumi
Nov 29, 2013, 9:09:03 AM11/29/13
to django...@googlegroups.com
That could work but isn't it a bit insecure? I think it will be susceptible to a header injection(http://en.wikipedia.org/wiki/HTTP_header_injection). I would rather create a setting with the domain name in settings.py and then call it from the template or write a custom template tag.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAJJc_8WiwQjgNPKX4RZ0eQu%3DkYz%2BH51BywB0rQMVJ4u8XW8hbw%40mail.gmail.com.
Felipe Coelho
Nov 29, 2013, 9:37:46 AM11/29/13
to Django users
2013/11/29 Joseph Mutumi <jjmu...@gmail.com>
That could work but isn't it a bit insecure? I think it will be susceptible to a header injection(http://en.wikipedia.org/wiki/HTTP_header_injection). I would rather create a setting with the domain name in settings.py and then call it from the template or write a custom template tag.
Check Django's ALLOWED_HOSTS [1] setting, it is supposed to account for this, and Django 1.5+ requires you to explicitly set it in order to run a site with DEBUG=False
Tom Evans
Nov 29, 2013, 9:39:46 AM11/29/13
to django...@googlegroups.com
On Fri, Nov 29, 2013 at 2:09 PM, Joseph Mutumi <jjmu...@gmail.com> wrote:
> That could work but isn't it a bit insecure? I think it will be susceptible
> to a header injection(http://en.wikipedia.org/wiki/HTTP_header_injection). I
> would rather create a setting with the domain name in settings.py and then
> call it from the template or write a custom template tag.
Possibly; if you are using vhosts at all, then the host header is hard
> That could work but isn't it a bit insecure? I think it will be susceptible
> to a header injection(http://en.wikipedia.org/wiki/HTTP_header_injection). I
> would rather create a setting with the domain name in settings.py and then
> call it from the template or write a custom template tag.
to spoof, as in order to be routed to your application, the request
must already have the appropriate header.
If you don't use vhosts, then it is in any case wise to apply host
name canonicalisation to your website - your site may respond to
'www.foo.com' and 'foo.com', but requests for 'foo.com/blah' are
immediately redirected to 'www.foo.com/blah'. This will aid with SEO
and provide absolute, consistent URLs.
Cheers
Tom
Fred Stluka
Nov 30, 2013, 6:59:10 AM11/30/13
to django...@googlegroups.com
I had the same problem. Wrote this:
def get_web_server_base_url(request, settings_override_name=None):
# Allow the value in the settings file to override any computed value.
url = None
if settings_override_name:
url = getattr(settings, settings_override_name, None)
if not url:
protocol = request.is_secure() and 'https' or 'http'
host = request.get_host()
url = "{0}://{1}".format(protocol, host)
return url
I didn't know about Site or RequestSite at the time. Perhaps I could
have used them, but:
1. I wanted the protocol (http, or https) to be correct also. Would
RequestSite have done that for me?
2. I wanted to be able to override the hostname with the primary
name of the server (via an entry in settings.py) even if the request
was sent to a secondary name or the IP address of the server.
I suppose Site would have allowed this, via storing the name in
the DB, but that seems like more work than a settings.py file,
especially since I already have convenient mechanism to manage
different settings.py files when deployed on different servers.
Thoughts?
def get_web_server_base_url(request, settings_override_name=None):
# Allow the value in the settings file to override any computed value.
url = None
if settings_override_name:
url = getattr(settings, settings_override_name, None)
if not url:
protocol = request.is_secure() and 'https' or 'http'
host = request.get_host()
url = "{0}://{1}".format(protocol, host)
return url
I didn't know about Site or RequestSite at the time. Perhaps I could
have used them, but:
1. I wanted the protocol (http, or https) to be correct also. Would
RequestSite have done that for me?
2. I wanted to be able to override the hostname with the primary
name of the server (via an entry in settings.py) even if the request
was sent to a secondary name or the IP address of the server.
I suppose Site would have allowed this, via storing the name in
the DB, but that seems like more work than a settings.py file,
especially since I already have convenient mechanism to manage
different settings.py files when deployed on different servers.
Thoughts?
--Fred
Fred Stluka -- mailto:fr...@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
Fred Stluka -- mailto:fr...@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAPiONw%3D7Uh9uReNyCCzhGb%3D09WHCzY9rSPp9mYn_eJRsHwmNpw%40mail.gmail.com.
Vibhu Rishi
Dec 2, 2013, 8:05:08 AM12/2/13
to django...@googlegroups.com
Not sure how the header injection will work in this case ?
As I see it, I am using this in the email text for the email body. This is generated and sent in a view function I have. So, how will the http header get inserted in this flow ?
Vibhu
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAN5idp9_g88SHrHBN2YZQVA%2BxbGFJ-F6Ac2PvxD3uLF7Dqa9_w%40mail.gmail.com.
Joseph Mutumi
Dec 3, 2013, 9:24:32 AM12/3/13
to django...@googlegroups.com
Its not that easy to do but instead of generating the link say:
http://myrealsite.com/admin/change_password
If HTTP_HOST is somehow messed up say by Man In the Browser, in the
email, you could get something like:
http://hackersite.com/admin/change_password
If the user isn't paying attention, they can end up giving credentials
to third party!
Its just a corner case, but hackers look for corner cases!
>>> https://groups.google.com/d/msgid/django-users/CAJJc_8WiwQjgNPKX4RZ0eQu%3DkYz%2BH51BywB0rQMVJ4u8XW8hbw%40mail.gmail.com
>>> .
http://myrealsite.com/admin/change_password
If HTTP_HOST is somehow messed up say by Man In the Browser, in the
email, you could get something like:
http://hackersite.com/admin/change_password
If the user isn't paying attention, they can end up giving credentials
to third party!
Its just a corner case, but hackers look for corner cases!
>>> .
>>>
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users...@googlegroups.com.
>> To post to this group, send email to django...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/CAN5idp9_g88SHrHBN2YZQVA%2BxbGFJ-F6Ac2PvxD3uLF7Dqa9_w%40mail.gmail.com
>> .
>>
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users...@googlegroups.com.
>> To post to this group, send email to django...@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/CAN5idp9_g88SHrHBN2YZQVA%2BxbGFJ-F6Ac2PvxD3uLF7Dqa9_w%40mail.gmail.com
>> .
>>
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
> Simplicity is the ultimate sophistication. - Leonardo da Vinci
> Life is really simple, but we insist on making it complicated. - Confucius
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAPiONwmsOxsVpxW8edRhWBoSifRpwgvG0sJ5XqktW0XhSBVRRA%40mail.gmail.com.
>>
>
>
>
> --
> Simplicity is the ultimate sophistication. - Leonardo da Vinci
> Life is really simple, but we insist on making it complicated. - Confucius
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages