From e6f59af64c7645cae130a92a4b7afd908a84c983 Mon Sep 17 00:00:00 2001 From: erdgeist Date: Mon, 29 Jun 2026 21:25:22 +0200 Subject: Prevent xss by not allowing return_to to point to javascript resources --- app/controllers/events_controller.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb index 7695e9b..f50da3e 100644 --- a/app/controllers/events_controller.rb +++ b/app/controllers/events_controller.rb @@ -42,6 +42,7 @@ class EventsController < ApplicationController # GET /events/1/edit def edit @event = Event.find(params[:id]) + @return_to = params[:return_to] || events_path end # POST /events @@ -52,7 +53,7 @@ class EventsController < ApplicationController respond_to do |format| if @event.save flash[:notice] = 'Event was successfully created.' - format.html { redirect_to(edit_node_path(@event.node)) } + format.html { redirect_to(@event.node ? edit_node_path(@event.node) : edit_event_path(@event)) } format.xml { render :xml => @event, :status => :created, :location => @event } else format.html { render :action => "new" } @@ -69,7 +70,7 @@ class EventsController < ApplicationController respond_to do |format| if @event.update(event_params) flash[:notice] = 'Event was successfully updated.' - format.html { redirect_to(edit_node_path(@event.node)) } + format.html { redirect_to(safe_return_to(params[:return_to] || events_path)) } format.xml { head :ok } else format.html { render :action => "edit" } -- cgit v1.3