Permalink
Browse files

Login page will not redirect to urls that don't start with a /

  • Loading branch information...
1 parent b9b8133 commit 6a9a82197b049e51ff1dd576b843954863c0dde3 ultonis committed Oct 7, 2012
Showing with 6 additions and 3 deletions.
  1. +2 −2 src/foreclojure/login.clj
  2. +4 −1 src/foreclojure/utils.clj
View
4 src/foreclojure/login.clj
@@ -3,7 +3,7 @@
[ring.util.response :as response])
(:import [org.jasypt.util.password StrongPasswordEncryptor])
(:use [hiccup.form :only [form-to label text-field password-field check-box]]
- [foreclojure.utils :only [from-mongo flash-error flash-msg form-row assuming send-email login-url]]
+ [foreclojure.utils :only [from-mongo flash-error flash-msg form-row assuming send-email login-url is-relative-url?]]
[foreclojure.template :only [def-page content-page]]
[foreclojure.messages :only [err-msg]]
[compojure.core :only [defroutes GET POST]]
@@ -33,7 +33,7 @@
(def-page my-login-page [location]
(do
- (if location (session/put! :login-to location))
+ (if (and location (is-relative-url? location)) (session/put! :login-to location))
{:title "4clojure - login"
:content
(content-page
View
5 src/foreclojure/utils.clj
@@ -7,7 +7,7 @@
[clojure.string :as string]
[foreclojure.git :as git]
[hiccup.page :as hiccup])
- (:import [java.net URLEncoder]
+ (:import [java.net URLEncoder URLDecoder]
(org.apache.commons.lang StringEscapeUtils)
(org.apache.commons.mail HtmlEmail))
(:use [hiccup.core :only [html]]
@@ -84,6 +84,9 @@
([m ks f & args]
(maybe-update m ks #(apply f % args))))
+(defn is-relative-url? [location]
+ (.startsWith (URLDecoder/decode location) "/"))
+
(defn login-url
([] (login-url *url*))
([location]

0 comments on commit 6a9a821

Please sign in to comment.