##// END OF EJS Templates
jro_apps » redmine
RSS
Unescape back_url param before calling redirect_to....
Jean-Philippe Lang -
r1891:8a356baf3e32
parent child
Show More
Side by Side Unified
Context file:
r1891:8a356baf3e32 Loading diff...:
Show file before | Show file after | Hide comments
@@ -16,6 +16,7
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 require 'uri'
19 require 'cgi'
19 20
20 21 class ApplicationController < ActionController::Base
21 22 layout 'base'
@@ -123,7 +124,7 class ApplicationController < ActionController::Base
123 124 end
124 125
125 126 def redirect_back_or_default(default)
126 back_url = params[:back_url]
127 back_url = CGI.unescape(params[:back_url].to_s)
127 128 if !back_url.blank?
128 129 uri = URI.parse(back_url)
129 130 # do not redirect user to another host
Show file before | Show file after | Hide comments
@@ -194,7 +194,7 class TimelogController < ApplicationController
194 194 @time_entry.attributes = params[:time_entry]
195 195 if request.post? and @time_entry.save
196 196 flash[:notice] = l(:notice_successful_update)
197 redirect_to(params[:back_url].blank? ? {:action => 'details', :project_id => @time_entry.project} : params[:back_url])
197 redirect_back_or_default :action => 'details', :project_id => @time_entry.project
198 198 return
199 199 end
200 200 end
Show file before | Show file after | Hide comments
@@ -46,12 +46,12 class AccountControllerTest < Test::Unit::TestCase
46 46
47 47 def test_login_should_redirect_to_back_url_param
48 48 # request.uri is "test.host" in test environment
49 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.host/issues/show/1'
49 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.host%2Fissues%2Fshow%2F1'
50 50 assert_redirected_to '/issues/show/1'
51 51 end
52 52
53 53 def test_login_should_not_redirect_to_another_host
54 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http://test.foo/fake'
54 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.foo%2Ffake'
55 55 assert_redirected_to '/my/page'
56 56 end
57 57
General Comments 0
You need to be logged in to leave comments. Login now