From e6f59af64c7645cae130a92a4b7afd908a84c983 Mon Sep 17 00:00:00 2001 From: erdgeist Date: Mon, 29 Jun 2026 21:25:22 +0200 Subject: Prevent xss by not allowing return_to to point to javascript resources --- app/controllers/events_controller.rb | 5 +++-- app/helpers/application_helper.rb | 10 ++++++++++ app/views/events/edit.html.erb | 7 +++++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb index 7695e9b..f50da3e 100644 --- a/app/controllers/events_controller.rb +++ b/app/controllers/events_controller.rb @@ -42,6 +42,7 @@ class EventsController < ApplicationController # GET /events/1/edit def edit @event = Event.find(params[:id]) + @return_to = params[:return_to] || events_path end # POST /events @@ -52,7 +53,7 @@ class EventsController < ApplicationController respond_to do |format| if @event.save flash[:notice] = 'Event was successfully created.' - format.html { redirect_to(edit_node_path(@event.node)) } + format.html { redirect_to(@event.node ? edit_node_path(@event.node) : edit_event_path(@event)) } format.xml { render :xml => @event, :status => :created, :location => @event } else format.html { render :action => "new" } @@ -69,7 +70,7 @@ class EventsController < ApplicationController respond_to do |format| if @event.update(event_params) flash[:notice] = 'Event was successfully updated.' - format.html { redirect_to(edit_node_path(@event.node)) } + format.html { redirect_to(safe_return_to(params[:return_to] || events_path)) } format.xml { head :ok } else format.html { render :action => "edit" } diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 0be66e9..72b76b8 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -11,4 +11,14 @@ module ApplicationHelper end end end + + def safe_return_to(url) + return events_path if url.blank? + uri = URI.parse(url) + return events_path if uri.host.present? + return events_path unless url.start_with?('/') + url + rescue URI::InvalidURIError + events_path + end end diff --git a/app/views/events/edit.html.erb b/app/views/events/edit.html.erb index 824cd66..17457df 100644 --- a/app/views/events/edit.html.erb +++ b/app/views/events/edit.html.erb @@ -1,12 +1,15 @@ <% content_for :subnavigation do %> - <%= link_to 'back', edit_node_path(@event.node) %> + <%= link_to 'back', safe_return_to(params[:return_to] || events_path) %> + <% if @event.node %> + <%= link_to 'node', edit_node_path(@event.node) %> + <% end %> <%= link_to 'show', @event %> <% end %> -

Editing event

<%= form_for(@event) do |f| %> + <%= hidden_field_tag :return_to, @return_to %> <%= form_error_messages(f) %>

-- cgit v1.3