Skip to content

Commit

Permalink
Locking down "from" param in the Signin screen
Browse files Browse the repository at this point in the history 
Should only support absolute urls on the same root
  • Loading branch information
@JedWatson
JedWatson committed Dec 19, 2016
1 parent d75d2d8 commit 72987a5
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion admin/client/Signin/index.js
View file
Expand Up @@ -11,11 +11,13 @@ import ReactDOM from 'react-dom';
import Signin from './Signin'; import Signin from './Signin';


const params = qs.parse(window.location.search.replace(/^\?/, '')); const params = qs.parse(window.location.search.replace(/^\?/, ''));
const from = typeof params.from === 'string' && params.from.charAt(0) === '/'
? params.from : undefined;


ReactDOM.render( ReactDOM.render(
<Signin <Signin
brand={Keystone.brand} brand={Keystone.brand}
from={params.from} from={from}
logo={Keystone.logo} logo={Keystone.logo}
user={Keystone.user} user={Keystone.user}
userCanAccessKeystone={Keystone.userCanAccessKeystone} userCanAccessKeystone={Keystone.userCanAccessKeystone}
Expand Down

0 comments on commit 72987a5

Please sign in to comment.