Skip to content
Permalink
Browse files

Merge pull request #1505 from pawl/issue_1503

check for valid scheme in the redirect target url (prevent xss)
  • Loading branch information...
mrjoes committed Aug 27, 2018
2 parents 4ecd742 + 0dc5a48 commit 960f5e0a0185a7c04a8f98678a845ad57d472285
Showing with 28 additions and 2 deletions.
  1. +11 −2 flask_admin/helpers.py
  2. +17 −0 flask_admin/tests/test_helpers.py
@@ -8,6 +8,9 @@
from ._compat import string_types


VALID_SCHEMES = ['http', 'https']


def set_current_view(view):
g._admin_view = view

@@ -128,10 +131,16 @@ def prettify_class_name(name):


def is_safe_url(target):
# prevent urls starting with "javascript:"
target = target.strip()
target_info = urlparse(target)
target_scheme = target_info.scheme
if target_scheme and target_scheme not in VALID_SCHEMES:
return False

ref_url = urlparse(request.host_url)
test_url = urlparse(urljoin(request.host_url, target))
return (test_url.scheme in ('http', 'https') and
ref_url.netloc == test_url.netloc)
return ref_url.netloc == test_url.netloc


def get_redirect_target(param_name='url'):
@@ -0,0 +1,17 @@
import flask

from flask_admin import helpers


def test_is_safe_url():
app = flask.Flask(__name__)

with app.test_request_context('http://127.0.0.1/admin/car/edit/'):
assert helpers.is_safe_url('http://127.0.0.1/admin/car/')
assert helpers.is_safe_url('https://127.0.0.1/admin/car/')
assert helpers.is_safe_url('/admin/car/')
assert helpers.is_safe_url('admin/car/')

assert not helpers.is_safe_url('http://127.0.0.2/admin/car/')
assert not helpers.is_safe_url(' javascript:alert(document.domain)')
assert not helpers.is_safe_url('javascript:alert(document.domain)')

0 comments on commit 960f5e0

Please sign in to comment.
You can’t perform that action at this time.