discourse
/
discourse-auth-proxy
mirror of https://github.com/discourse/discourse-auth-proxy.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Properly escape URLs when writing redirections

This commit is contained in:
Kane York 2020-06-08 10:42:54 -07:00
parent 1cb59fc2ce
commit 723b8f7872
No known key found for this signature in database
GPG Key ID: 657F460D20894666
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
main.go
View File

@ -16,6 +16,7 @@ import (
"os" "os"
"strings" "strings"
"sync" "sync"
"text/template"
"time" "time"
"github.com/golang/groupcache/lru" "github.com/golang/groupcache/lru"
@ -226,7 +227,7 @@ func redirectIfNoCookie(handler http.Handler, r *http.Request, w http.ResponseWr
}) })
// works around weird safari stuff // works around weird safari stuff
fmt.Fprintf(w, "<html><head></head><body><script>window.location = '%v'</script></body>", returnUrl) fmt.Fprintf(w, "<html><head></head><body><script>window.location = '%v'</script></body>", template.JSEscapeString(returnUrl))
} }
} }