Fix #248: Fix next param logic and move logic to Python.

mozilla / django-browserid

Django application for adding BrowserID support.

Mozilla Public License 2.0

180 stars 80 forks source link

Fix #248: Fix next param logic and move logic to Python. #257

Closed Osmose closed 10 years ago

Osmose commented 10 years ago

By deciding whether to redirect the user to the next param URL or the default URL in Python instead of JavaScript, we can rely on Django’s is_safe_url logic.

Osmose commented 10 years ago

@peterbe r?

peterbe commented 10 years ago

Looks good. I tested it locally. If I do $('a.browserid-login').data('next', '/different') it really does redirect to /different but if I do $('a.browserid-login').data('next', 'http://www.peterbe.com') it does not redirect there and instead redirects to /. The same test worked for the logout link. I can "tamper" it but only iff it's to a local path.