On Tue November 25 2008, Toshio Kuratomi wrote:
For these issues we could either concentrate on fixing or mitigating
them. Fixing them would require the laborious changes I talked about
earlier to change the way the framework already processes the POST and
GET parameters before they get to us.
I guess it would be enough only to check whether the request is a POST-request
without checking where the variables come from. This is maybe available in
this variable: cherrypy.request.method
Mitigation is easier -- we should
make it part of our best practices to never have links or GET driven
forms that make state changes when designing the UI and templates.
This is also needed, if you check for the request method, because otherwise
you would have broken links.
Regards,
Till