summaryrefslogtreecommitdiff
path: root/app/helpers
diff options
context:
space:
mode:
authorerdgeist <erdgeist@erdgeist.org>2026-06-29 21:25:22 +0200
committererdgeist <erdgeist@erdgeist.org>2026-06-30 19:19:06 +0200
commite6f59af64c7645cae130a92a4b7afd908a84c983 (patch)
tree18626d2340bcef120bd2cd4c85bd985852cc5519 /app/helpers
parentc96dce638ec8f10db18a871bae7fc7a3d14fa5b3 (diff)
Prevent xss by not allowing return_to to point to javascript resources
Diffstat (limited to 'app/helpers')
-rw-r--r--app/helpers/application_helper.rb10
1 files changed, 10 insertions, 0 deletions
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 0be66e9..72b76b8 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -11,4 +11,14 @@ module ApplicationHelper
11 end 11 end
12 end 12 end
13 end 13 end
14
15 def safe_return_to(url)
16 return events_path if url.blank?
17 uri = URI.parse(url)
18 return events_path if uri.host.present?
19 return events_path unless url.start_with?('/')
20 url
21 rescue URI::InvalidURIError
22 events_path
23 end
14end 24end