SECURITY: Properly escape URLs when writing redirections

This commit is contained in:
Kane York 2020-06-08 10:42:54 -07:00
parent 1cb59fc2ce
commit 723b8f7872
No known key found for this signature in database
GPG Key ID: 657F460D20894666
1 changed files with 2 additions and 1 deletions

View File

@ -16,6 +16,7 @@ import (
"os"
"strings"
"sync"
"text/template"
"time"
"github.com/golang/groupcache/lru"
@ -226,7 +227,7 @@ func redirectIfNoCookie(handler http.Handler, r *http.Request, w http.ResponseWr
})
// works around weird safari stuff
fmt.Fprintf(w, "<html><head></head><body><script>window.location = '%v'</script></body>", returnUrl)
fmt.Fprintf(w, "<html><head></head><body><script>window.location = '%v'</script></body>", template.JSEscapeString(returnUrl))
}
}