Forum

Thread tagged as: Question, Meta

Outputting the current url with routed pages

I'm trying to create a semi-automated <link rel="canonical"> tag in the head.

This usually works fine like this:

PerchSystem::set_var("current_url", perch_page_url(array(
    "include-domain" => true,
    "hide-extensions" => true),
true));

then in my page attributes HTML file:

<link rel="canonical" href="<perch:pages id="current_url" type="hidden"/>" />

The problem I have is that this does not work for 'routed' pages in Runway. e.g. for somesite.com/level1/level2/level3, perch_page_url may only return somesite.com

I was then tempted to just echo the real URL like this: PerchSystem::set_var("current_url", (isset($_SERVER['HTTPS']) ? "https://" : "https://").$_SERVER["HTTP_HOST"] . $_SERVER['REQUEST_URI']); However, I've read security warnings about doing things like this: https://expressionengine.com/blog/http-host-and-server-name-security-issues

Is that a valid concern? Is there a safe way of echoing out the full URL?

Jay George

Jay George 2 points

  • 3 years ago
Drew McLellan

Drew McLellan 2638 points
Perch Support

You should HTML-encode anything that comes from the environment before outputting it to the page. Perch templates do this for everything automatically by default. The only thing I'd add to your example is escaping quotes because you're using the value in an attribute.

href="<perch:pages id="current_url" type="hidden" escape="true" />"

OK thanks,

I think you may have missed the second part of my question though, which is where I'm having problems—this does not work for pages that are routed.

I could do PerchSystem::set_var("current_url", (isset($_SERVER['HTTPS']) ? "https://" : "https://").$_SERVER["HTTP_HOST"] . $_SERVER['REQUEST_URI']); However, I've read security warnings about doing things like this: https://expressionengine.com/blog/http-host-and-server-name-security-issues

Is that a valid concern? Is there a safe way of echoing out the full URL?

Drew McLellan

Drew McLellan 2638 points
Perch Support

That's the part I was addressing.

Oh ok! So it’s ok for security using the php super globals? E.g cache poisoning

Drew McLellan

Drew McLellan 2638 points
Perch Support

Anything you pass into a template is automatically encoded. You should additionally escape quotes if you're putting that value inside an HTML quoted attribute value.

I can't give you assurance that what you're doing is secure. You need to take responsibility for that yourself.

OK, makes sense, I understand you can't offer assurance.

However, I can see similar methods of setting the domain variable in the source code, like $domain = 'http' . (isset($_SERVER['HTTPS']) ? 's' : '') . '://' . $_SERVER['HTTP_HOST']; in perch/addons/apps/perch_blog/lib/PerchBlog_Posts.class.php

…so I can only assume it's not a huge security concern. Maybe I'll reconsider if I ever use varnish or the site gets attacked.