Message6012
Hi Anthony:
In message <668020702.20170911154217@inbox.ru>,
Anthony writes:
>I found that I can't set value of "__redirect_to" to the relative url.
That's correct and intentional. The __redirect_to (and _came_from)
parameter is accessible to the user or to any nasty malware in the
browser.
>Recently introduced examine_url() function will raise an error in such
>case because it expect only an absolute url.
From the comment right above that block:
To try to prevent XSS attacks, validate that the url that is
passed in is under self.base for the tracker. This is used to
clean up "__came_from" and "__redirect_to" form variables used
by the LoginAction and NewItemAction actions.
I assume the URL is generated by accessing the base url in the tracker
config and using that to generate an absolute url. For example:
tal:attributes="value string:${request/base}${request/env/PATH_INFO}?${request/env/QUERY_STRING}"
What is your use case where this must be a relative url? |
|
Date |
User |
Action |
Args |
2017-09-11 23:50:24 | rouilj | set | recipients:
+ rouilj, antmail |
2017-09-11 23:50:24 | rouilj | link | issue2550951 messages |
2017-09-11 23:50:23 | rouilj | create | |
|