diff options
| author | erdgeist <erdgeist@erdgeist.org> | 2026-06-29 21:25:22 +0200 |
|---|---|---|
| committer | erdgeist <erdgeist@erdgeist.org> | 2026-06-30 19:19:06 +0200 |
| commit | e6f59af64c7645cae130a92a4b7afd908a84c983 (patch) | |
| tree | 18626d2340bcef120bd2cd4c85bd985852cc5519 /app/helpers/application_helper.rb | |
| parent | c96dce638ec8f10db18a871bae7fc7a3d14fa5b3 (diff) | |
Prevent xss by not allowing return_to to point to javascript resources
Diffstat (limited to 'app/helpers/application_helper.rb')
| -rw-r--r-- | app/helpers/application_helper.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 0be66e9..72b76b8 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb | |||
| @@ -11,4 +11,14 @@ module ApplicationHelper | |||
| 11 | end | 11 | end |
| 12 | end | 12 | end |
| 13 | end | 13 | end |
| 14 | |||
| 15 | def safe_return_to(url) | ||
| 16 | return events_path if url.blank? | ||
| 17 | uri = URI.parse(url) | ||
| 18 | return events_path if uri.host.present? | ||
| 19 | return events_path unless url.start_with?('/') | ||
| 20 | url | ||
| 21 | rescue URI::InvalidURIError | ||
| 22 | events_path | ||
| 23 | end | ||
| 14 | end | 24 | end |
