Permalink
Browse files

Locking down "from" param in the Signin screen

Should only support absolute urls on the same root
  • Loading branch information...
1 parent d75d2d8 commit 72987a56911eddcabdccc5e743ff91d4226af7e4 @JedWatson JedWatson committed Dec 19, 2016
Showing with 3 additions and 1 deletion.
  1. +3 −1 admin/client/Signin/index.js
@@ -11,11 +11,13 @@ import ReactDOM from 'react-dom';
import Signin from './Signin';
const params = qs.parse(window.location.search.replace(/^\?/, ''));
+const from = typeof params.from === 'string' && params.from.charAt(0) === '/'
+ ? params.from : undefined;
ReactDOM.render(
<Signin
brand={Keystone.brand}
- from={params.from}
+ from={from}
logo={Keystone.logo}
user={Keystone.user}
userCanAccessKeystone={Keystone.userCanAccessKeystone}

0 comments on commit 72987a5

Please sign in to comment.