summaryrefslogtreecommitdiff
path: root/app/views
diff options
context:
space:
mode:
authorerdgeist <erdgeist@erdgeist.org>2026-06-29 21:25:22 +0200
committererdgeist <erdgeist@erdgeist.org>2026-06-30 19:19:06 +0200
commite6f59af64c7645cae130a92a4b7afd908a84c983 (patch)
tree18626d2340bcef120bd2cd4c85bd985852cc5519 /app/views
parentc96dce638ec8f10db18a871bae7fc7a3d14fa5b3 (diff)
Prevent xss by not allowing return_to to point to javascript resources
Diffstat (limited to 'app/views')
-rw-r--r--app/views/events/edit.html.erb7
1 files changed, 5 insertions, 2 deletions
diff --git a/app/views/events/edit.html.erb b/app/views/events/edit.html.erb
index 824cd66..17457df 100644
--- a/app/views/events/edit.html.erb
+++ b/app/views/events/edit.html.erb
@@ -1,12 +1,15 @@
1<% content_for :subnavigation do %> 1<% content_for :subnavigation do %>
2 <%= link_to 'back', edit_node_path(@event.node) %> 2 <%= link_to 'back', safe_return_to(params[:return_to] || events_path) %>
3 <% if @event.node %>
4 <%= link_to 'node', edit_node_path(@event.node) %>
5 <% end %>
3 <%= link_to 'show', @event %> 6 <%= link_to 'show', @event %>
4<% end %> 7<% end %>
5 8
6
7<h1>Editing event</h1> 9<h1>Editing event</h1>
8 10
9<%= form_for(@event) do |f| %> 11<%= form_for(@event) do |f| %>
12 <%= hidden_field_tag :return_to, @return_to %>
10 <%= form_error_messages(f) %> 13 <%= form_error_messages(f) %>
11 14
12 <p> 15 <p>