Skip to content

Commit

Permalink
Prevent XSS in ?back attr
Browse files Browse the repository at this point in the history
  • Loading branch information
xaralis committed Aug 16, 2019
1 parent c34f704 commit 1bd25d9
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions socialsystem/core/views.py
View file
@@ -1,3 +1,5 @@
import urllib

from django.views.generic import TemplateView, FormView, DetailView
from django.urls import reverse

Expand Down Expand Up @@ -64,7 +66,11 @@ class BenefitDetailView(DetailView):
def get_context_data(self, *args, **kwargs):
data = super().get_context_data(*args, **kwargs)

if self.request.GET.get('back', None) is not None:
data['back_link'] = self.request.GET['back']
back = self.request.GET.get('back', None)
parsed_back_url = urllib.parse.urlparse(back)

# We only allow blank scheme, e.g. relative urls to avoid reflected XSS
if back is not None and parsed_back_url.scheme == "":
data['back_link'] = back

return data

0 comments on commit 1bd25d9

Please sign in to comment.