You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Granted almost everyone will replace the default login page, this bug is disconcerting when starting to learn authentication and session management for Dancer2.
Once a route is added requiring a role, the user is referred to /login. If an incorrect name/password combination is given the user is referred back to /login agin but uri_escape() is called on request_url again, breaking it in the hidden field although it still looks OK in the browser location bar.
/login, first time: <input type="hidden" name="return_url" value="%2Freport">
/login, second time: <input type="hidden" name="return_url" value="%252Freport">
I'm not nearly sure what the fix should be. Trusting user input? Ah, no. But blindly escaping things twice causes problems too, as when the user supplies a correct username and password they are no longer routed back to the route they started with.
Edit: use sufficient HTML markup to see all the problem report.
The text was updated successfully, but these errors were encountered:
Granted almost everyone will replace the default login page, this bug is disconcerting when starting to learn authentication and session management for Dancer2.
Once a route is added requiring a role, the user is referred to /login. If an incorrect name/password combination is given the user is referred back to /login agin but uri_escape() is called on request_url again, breaking it in the hidden field although it still looks OK in the browser location bar.
/login, first time: <input type="hidden" name="return_url" value="%2Freport">
/login, second time: <input type="hidden" name="return_url" value="%252Freport">
I'm not nearly sure what the fix should be. Trusting user input? Ah, no. But blindly escaping things twice causes problems too, as when the user supplies a correct username and password they are no longer routed back to the route they started with.
Edit: use sufficient HTML markup to see all the problem report.
The text was updated successfully, but these errors were encountered: