SECURITY: Properly escape URLs when writing redirections
This commit is contained in:
parent
1cb59fc2ce
commit
723b8f7872
3
main.go
3
main.go
|
@ -16,6 +16,7 @@ import (
|
|||
"os"
|
||||
"strings"
|
||||
"sync"
|
||||
"text/template"
|
||||
"time"
|
||||
|
||||
"github.com/golang/groupcache/lru"
|
||||
|
@ -226,7 +227,7 @@ func redirectIfNoCookie(handler http.Handler, r *http.Request, w http.ResponseWr
|
|||
})
|
||||
|
||||
// works around weird safari stuff
|
||||
fmt.Fprintf(w, "<html><head></head><body><script>window.location = '%v'</script></body>", returnUrl)
|
||||
fmt.Fprintf(w, "<html><head></head><body><script>window.location = '%v'</script></body>", template.JSEscapeString(returnUrl))
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue