pkp · henriqueramos · Dec 26, 2021 · Dec 26, 2021 · jonasraoni · Dec 27, 2021
diff --git a/cypress/tests/integration/Locales.spec.js b/cypress/tests/integration/Locales.spec.js
@@ -0,0 +1,22 @@
+/**
+ * @file cypress/tests/integration/Locales.spec.js
+ *
+ * Copyright (c) 2014-2021 Simon Fraser University
+ * Copyright (c) 2000-2021 John Willinsky
+ * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
+ *
+ */
+
+ describe('Locales tests', function() {
+    it('Checking locale switch operation', function() {
+        cy.login('dbarnes', null, 'publicknowledge');
+        // Change locale to fr_CA
+        cy.get('div.app__userNav > button.pkpButton').click();
+        cy.get('div.pkpDropdown__content div.pkpDropdown__section > ul li:contains("Français (Canada)")').click();
+        cy.get('a.app__contextTitle').contains('Journal de la connaissance du public');
+        // Change locale to en_US
+        cy.get('div.app__userNav > button.pkpButton').click();
+        cy.get('div.pkpDropdown__content div.pkpDropdown__section > ul li:contains("English")').click();
+        cy.get('a.app__contextTitle').contains('Journal of Public Knowledge');
+    });
+})
diff --git a/pages/user/PKPUserHandler.inc.php b/pages/user/PKPUserHandler.inc.php
@@ -14,10 +14,11 @@
  */
 
 use APP\handler\Handler;
-
+use APP\i18n\AppLocale;
 use APP\template\TemplateManager;
+use PKP\config\Config;
 use PKP\core\JSONMessage;
-
+use PKP\security\Validation;
 use PKP\user\InterestManager;
 
 class PKPUserHandler extends Handler
@@ -50,16 +51,26 @@ public function setLocale($args, $request)
             $session->setSessionVar('currentLocale', $setLocale);
         }
 
-        $source = $request->getUserVar('source');
-        if (preg_match('#^/\w#', $source) === 1) {
-            $request->redirectUrl($source);
+        if (!isset($_SERVER['HTTP_REFERER'])) {
+            $request->redirect(null, 'index');
+
+            return;
         }
 
-        if (isset($_SERVER['HTTP_REFERER'])) {
-            $request->redirectUrl($_SERVER['HTTP_REFERER']);
+        $baseUrlParsed = parse_url(Config::getVar('general', 'base_url'));
+        $refererParsed = parse_url($_SERVER['HTTP_REFERER']);
+
+        if (
+            !isset($baseUrlParsed['host']) ||
+            !isset($refererParsed['host']) ||
+            $baseUrlParsed['host'] !== $refererParsed['host']
+        ) {
+            $request->redirect(null, 'index');
+
+            return;
         }
 
-        $request->redirect(null, 'index');
+        $request->redirectUrl($_SERVER['HTTP_REFERER']);
     }
 
     /**