summaryrefslogtreecommitdiff
path: root/app/controllers
diff options
context:
space:
mode:
authorerdgeist <erdgeist@erdgeist.org>2026-06-29 21:25:22 +0200
committererdgeist <erdgeist@erdgeist.org>2026-06-30 19:19:06 +0200
commite6f59af64c7645cae130a92a4b7afd908a84c983 (patch)
tree18626d2340bcef120bd2cd4c85bd985852cc5519 /app/controllers
parentc96dce638ec8f10db18a871bae7fc7a3d14fa5b3 (diff)
Prevent xss by not allowing return_to to point to javascript resources
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/events_controller.rb5
1 files changed, 3 insertions, 2 deletions
diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index 7695e9b..f50da3e 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -42,6 +42,7 @@ class EventsController < ApplicationController
42 # GET /events/1/edit 42 # GET /events/1/edit
43 def edit 43 def edit
44 @event = Event.find(params[:id]) 44 @event = Event.find(params[:id])
45 @return_to = params[:return_to] || events_path
45 end 46 end
46 47
47 # POST /events 48 # POST /events
@@ -52,7 +53,7 @@ class EventsController < ApplicationController
52 respond_to do |format| 53 respond_to do |format|
53 if @event.save 54 if @event.save
54 flash[:notice] = 'Event was successfully created.' 55 flash[:notice] = 'Event was successfully created.'
55 format.html { redirect_to(edit_node_path(@event.node)) } 56 format.html { redirect_to(@event.node ? edit_node_path(@event.node) : edit_event_path(@event)) }
56 format.xml { render :xml => @event, :status => :created, :location => @event } 57 format.xml { render :xml => @event, :status => :created, :location => @event }
57 else 58 else
58 format.html { render :action => "new" } 59 format.html { render :action => "new" }
@@ -69,7 +70,7 @@ class EventsController < ApplicationController
69 respond_to do |format| 70 respond_to do |format|
70 if @event.update(event_params) 71 if @event.update(event_params)
71 flash[:notice] = 'Event was successfully updated.' 72 flash[:notice] = 'Event was successfully updated.'
72 format.html { redirect_to(edit_node_path(@event.node)) } 73 format.html { redirect_to(safe_return_to(params[:return_to] || events_path)) }
73 format.xml { head :ok } 74 format.xml { head :ok }
74 else 75 else
75 format.html { render :action => "edit" } 76 format.html { render :action => "edit" }