To allow user to be redirected to previous or specific page after login, django has default native parameter NEXT for that. When I want to implement it, this is the way:
login.html template:
<form method="get" action="{% url 'django_auth_adfs:login' %}">{% csrf_token %}
<input type="hidden" name="next" value="{{ next }}">
<button type="submit" class="btn btn-info"><i class="fa-brands fa-windows"></i> Log in with ADFS</button>
</form>
It works fine but OWASP scanner flags it as XSLT injection medium priority warning.
What I did then:
Changed form method GET to POST:
<form method="post" action="{% url 'django_auth_adfs:login' %}">{% csrf_token %}
<input type="hidden" name="next" value="{{ next }}">
<button type="submit" class="btn btn-info"><i class="fa-brands fa-windows"></i> Log in with ADFS</button>
</form>
def build_authorization_endpoint(self, request, disable_sso=None, force_mfa=False):
self.load_config()
redirect_to = request.POST.get(REDIRECT_FIELD_NAME, None)
if not redirect_to:
redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
if not redirect_to:
redirect_to = django_settings.LOGIN_REDIRECT_URL
...
Now, POST support is added but OWASP still detects it as XSLT injection. When I removed/disallowed the method get() in OAuth2LoginView, OWASP doesn't detect it anymore.
My question is if you can add even the POST support in login to this library. 🙂
Thanks.
Upvote & Fund
We're using Polar.sh so you can upvote and help fund this issue.
We receive the funding once the issue is completed & confirmed by you.
Thank you in advance for helping prioritize & fund our backlog.
To allow user to be redirected to previous or specific page after login, django has default native parameter NEXT for that. When I want to implement it, this is the way:
login.html template:
It works fine but OWASP scanner flags it as XSLT injection medium priority warning.
What I did then:
Added post view:
Now, POST support is added but OWASP still detects it as XSLT injection. When I removed/disallowed the method get() in OAuth2LoginView, OWASP doesn't detect it anymore.
My question is if you can add even the POST support in login to this library. 🙂
Thanks.
Upvote & Fund