Closed Osmose closed 10 years ago
@peterbe r?
Looks good. I tested it locally. If I do $('a.browserid-login').data('next', '/different')
it really does redirect to /different
but if I do $('a.browserid-login').data('next', 'http://www.peterbe.com')
it does not redirect there and instead redirects to /
. The same test worked for the logout link. I can "tamper" it but only iff it's to a local path.
r+
By deciding whether to redirect the user to the next param URL or the default URL in Python instead of JavaScript, we can rely on Django’s is_safe_url logic.