Reply To: Get view-id from arbitrary pretty-url

Splash Forums Rewrite Users Get view-id from arbitrary pretty-url Reply To: Get view-id from arbitrary pretty-url

#24770

You are right. If you add the view-id of the previous view into a query parameter, an attacker could modify it. That’s why everything that is part of the URL has to be validated and/or escaped correctly when processing it.

I don’t see much issues with using the JavaScript history API. Whenever you redirect the user (from a filter or any other place), the browser will request a new page and the old URL will be placed in the history. So both the back button and the reload button will work as expected. That’s one of the major benefits of using the Post-Redirect-Get pattern.

If you think that an API is required to transform an mapped URL to the real view ID, please open an issue for that. I cannot tell you whether this is easy to implement at the moment. But if you open a ticket, we will definitely discuss this in one of our next developer meetings.