Patched a XSS hole where redirect_to could contain a malicious URL.

system/cms/core/MY_Controller.php

@@ -158,11 +158,6 @@ public function __construct()
 			$_POST = $this->security->xss_clean($_POST);
 		}
 
-		if ($this->module)
-		{
-			Asset::add_path('module', $this->module_details['path'].'/');
-		}
-
 		$this->load->vars($pyro);
 
 		$this->benchmark->mark('my_controller_end');

system/cms/modules/users/controllers/users.php

@@ -76,7 +76,9 @@ public function view($id = NULL)
 	public function login()
 	{
 		// Check post and session for the redirect place
-		$redirect_to = $this->input->post('redirect_to') ? $this->input->post('redirect_to') : $this->session->userdata('redirect_to');
+		$redirect_to = ($this->input->post('redirect_to')) 
+			? trim(urldecode($this->input->post('redirect_to')))
+			: $this->session->userdata('redirect_to');
 
 		// Any idea where we are heading after login?
 		if ( ! $_POST AND $args = func_get_args())
@@ -120,7 +122,31 @@ public function login()
 			// trigger a post login event for third party devs
 			Events::trigger('post_user_login');
 
-			redirect($redirect_to ? $redirect_to : '');
+			if ($this->input->is_ajax_request())
+			{
+				$user = $this->ion_auth->get_user_by_email($user->email);
+				$user->password = '';
+				$user->salt = '';
+
+				exit(json_encode(array('status' => true, 'message' => lang('user_logged_in'), 'data' => $user)));
+			}
+			else
+			{
+				$this->session->set_flashdata('success', lang('user_logged_in'));
+			}
+
+			// Don't allow protocols or cheeky requests
+			if (strpos($redirect_to, ':') !== FALSE)
+			{
+				// Just login to the homepage
+				redirect('');
+			}
+
+			// Passes muster, on your way
+			else
+			{
+				redirect($redirect_to ? $redirect_to : '');
+			}
 		}
 
 		$this->template->build('login', array(