From e6f59af64c7645cae130a92a4b7afd908a84c983 Mon Sep 17 00:00:00 2001 From: erdgeist Date: Mon, 29 Jun 2026 21:25:22 +0200 Subject: Prevent xss by not allowing return_to to point to javascript resources --- app/views/events/edit.html.erb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'app/views') diff --git a/app/views/events/edit.html.erb b/app/views/events/edit.html.erb index 824cd66..17457df 100644 --- a/app/views/events/edit.html.erb +++ b/app/views/events/edit.html.erb @@ -1,12 +1,15 @@ <% content_for :subnavigation do %> - <%= link_to 'back', edit_node_path(@event.node) %> + <%= link_to 'back', safe_return_to(params[:return_to] || events_path) %> + <% if @event.node %> + <%= link_to 'node', edit_node_path(@event.node) %> + <% end %> <%= link_to 'show', @event %> <% end %> -

Editing event

<%= form_for(@event) do |f| %> + <%= hidden_field_tag :return_to, @return_to %> <%= form_error_messages(f) %>

-- cgit v1.3