diff options
| author | erdgeist <erdgeist@erdgeist.org> | 2026-06-29 21:25:22 +0200 |
|---|---|---|
| committer | erdgeist <erdgeist@erdgeist.org> | 2026-06-30 19:19:06 +0200 |
| commit | e6f59af64c7645cae130a92a4b7afd908a84c983 (patch) | |
| tree | 18626d2340bcef120bd2cd4c85bd985852cc5519 /app | |
| parent | c96dce638ec8f10db18a871bae7fc7a3d14fa5b3 (diff) | |
Prevent xss by not allowing return_to to point to javascript resources
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/events_controller.rb | 5 | ||||
| -rw-r--r-- | app/helpers/application_helper.rb | 10 | ||||
| -rw-r--r-- | app/views/events/edit.html.erb | 7 |
3 files changed, 18 insertions, 4 deletions
diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb index 7695e9b..f50da3e 100644 --- a/app/controllers/events_controller.rb +++ b/app/controllers/events_controller.rb | |||
| @@ -42,6 +42,7 @@ class EventsController < ApplicationController | |||
| 42 | # GET /events/1/edit | 42 | # GET /events/1/edit |
| 43 | def edit | 43 | def edit |
| 44 | @event = Event.find(params[:id]) | 44 | @event = Event.find(params[:id]) |
| 45 | @return_to = params[:return_to] || events_path | ||
| 45 | end | 46 | end |
| 46 | 47 | ||
| 47 | # POST /events | 48 | # POST /events |
| @@ -52,7 +53,7 @@ class EventsController < ApplicationController | |||
| 52 | respond_to do |format| | 53 | respond_to do |format| |
| 53 | if @event.save | 54 | if @event.save |
| 54 | flash[:notice] = 'Event was successfully created.' | 55 | flash[:notice] = 'Event was successfully created.' |
| 55 | format.html { redirect_to(edit_node_path(@event.node)) } | 56 | format.html { redirect_to(@event.node ? edit_node_path(@event.node) : edit_event_path(@event)) } |
| 56 | format.xml { render :xml => @event, :status => :created, :location => @event } | 57 | format.xml { render :xml => @event, :status => :created, :location => @event } |
| 57 | else | 58 | else |
| 58 | format.html { render :action => "new" } | 59 | format.html { render :action => "new" } |
| @@ -69,7 +70,7 @@ class EventsController < ApplicationController | |||
| 69 | respond_to do |format| | 70 | respond_to do |format| |
| 70 | if @event.update(event_params) | 71 | if @event.update(event_params) |
| 71 | flash[:notice] = 'Event was successfully updated.' | 72 | flash[:notice] = 'Event was successfully updated.' |
| 72 | format.html { redirect_to(edit_node_path(@event.node)) } | 73 | format.html { redirect_to(safe_return_to(params[:return_to] || events_path)) } |
| 73 | format.xml { head :ok } | 74 | format.xml { head :ok } |
| 74 | else | 75 | else |
| 75 | format.html { render :action => "edit" } | 76 | format.html { render :action => "edit" } |
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 0be66e9..72b76b8 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb | |||
| @@ -11,4 +11,14 @@ module ApplicationHelper | |||
| 11 | end | 11 | end |
| 12 | end | 12 | end |
| 13 | end | 13 | end |
| 14 | |||
| 15 | def safe_return_to(url) | ||
| 16 | return events_path if url.blank? | ||
| 17 | uri = URI.parse(url) | ||
| 18 | return events_path if uri.host.present? | ||
| 19 | return events_path unless url.start_with?('/') | ||
| 20 | url | ||
| 21 | rescue URI::InvalidURIError | ||
| 22 | events_path | ||
| 23 | end | ||
| 14 | end | 24 | end |
diff --git a/app/views/events/edit.html.erb b/app/views/events/edit.html.erb index 824cd66..17457df 100644 --- a/app/views/events/edit.html.erb +++ b/app/views/events/edit.html.erb | |||
| @@ -1,12 +1,15 @@ | |||
| 1 | <% content_for :subnavigation do %> | 1 | <% content_for :subnavigation do %> |
| 2 | <%= link_to 'back', edit_node_path(@event.node) %> | 2 | <%= link_to 'back', safe_return_to(params[:return_to] || events_path) %> |
| 3 | <% if @event.node %> | ||
| 4 | <%= link_to 'node', edit_node_path(@event.node) %> | ||
| 5 | <% end %> | ||
| 3 | <%= link_to 'show', @event %> | 6 | <%= link_to 'show', @event %> |
| 4 | <% end %> | 7 | <% end %> |
| 5 | 8 | ||
| 6 | |||
| 7 | <h1>Editing event</h1> | 9 | <h1>Editing event</h1> |
| 8 | 10 | ||
| 9 | <%= form_for(@event) do |f| %> | 11 | <%= form_for(@event) do |f| %> |
| 12 | <%= hidden_field_tag :return_to, @return_to %> | ||
| 10 | <%= form_error_messages(f) %> | 13 | <%= form_error_messages(f) %> |
| 11 | 14 | ||
| 12 | <p> | 15 | <p> |
