Mercurial > p > roundup > code
diff doc/customizing.txt @ 5161:12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
added to handle issues with the LoginAction and NewItemAction could
be used for XSS or other purposes.
So I check them using a new clean_url(url) function. This tries to
validate that the url is under the tracker's base url and that the
components of the url are properly url encoded. If it thinks something
is wrong with the url, it will raise a ValueError. I decided to not
attempt to fix the url's if there is an issue, better to bring it to the
tracker admin's attention.
Changed the code paths in NewItemAction and LoginAction that deal with
the form parameters to use the clean_url function on the form input
first.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 23 Jul 2016 14:00:49 -0400 |
| parents | 63294ed25e84 |
| children | e1e40674a0bc |
line wrap: on
line diff
--- a/doc/customizing.txt Fri Jul 22 20:59:44 2016 -0400 +++ b/doc/customizing.txt Sat Jul 23 14:00:49 2016 -0400 @@ -1718,10 +1718,13 @@ Any of the form variables may be prefixed with a classname or designator. -Setting the form variable: ``__redirect_to=`` to a url when @action=new -redirects the user to the specified url after successfully creating -the new item. This is useful if you want the user to create another -item rather than edit the newly created item. +Setting the form variable: ``__redirect_to=`` to a url when +@action=new redirects the user to the specified url after successfully +creating the new item. This is useful if you want the user to create +another item rather than edit the newly created item. Note that the +url assigned to ``__redirect_to`` must be url encoded/quoted and be +under the tracker's base url. If the base_url uses http, you can set +the url to https. Two special form values are supported for backwards compatibility: