Verified Commit d9625979 authored by Jan Pavlinec's avatar Jan Pavlinec
Browse files

foris: patch next query param bug

Note:
Backported from foris version 101.1.1
parent 93a9bc4f
#
# Copyright (C) 2019-2020 CZ.NIC z.s.p.o. (http://www.nic.cz/)
# Copyright (C) 2019-2021 CZ.NIC z.s.p.o. (http://www.nic.cz/)
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
......@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=foris
PKG_VERSION:=100.5.1
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE_SUBDIR:=$(PKG_NAME)
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/foris/foris.git
......
From 69184365a5f9130b78d04b4e763443d3ee49cd5d Mon Sep 17 00:00:00 2001
From: Stepan Henek <stepan.henek@nic.cz>
Date: Tue, 12 Jan 2021 11:14:52 +0100
Subject: [PATCH] Escape html for next param in login template
---
foris/templates/index.html.j2 | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/foris/templates/index.html.j2 b/foris/templates/index.html.j2
index 8a33812..180dd7e 100644
--- a/foris/templates/index.html.j2
+++ b/foris/templates/index.html.j2
@@ -18,10 +18,10 @@
{% if user_authenticated() %}
<a href="{{ url("logout") }}">{% trans %}Log out{% endtrans %}</a>
{% else %}
- <form action="{{ request.fullpath }}{{ '?next=%s' % next if next else '' }}" method="POST">
+ <form action="{{ request.fullpath }}{{ ('?next=%s' % next if next else '')|e }}" method="POST">
<input type="hidden" name="csrf_token" value="{{ get_csrf_token() }}">
- {% if request.GET.get("next") %}
- <input type="hidden" name="next" value="{{ request.GET['next'] }}">
+ {% if next %}
+ <input type="hidden" name="next" value="{{ next|e }}">
{% endif %}
<label for="field-password">{% trans %}Password{% endtrans %}</label>
<input id="field-password" type="password" name="password" placeholder="{% trans %}Password{% endtrans %}" autofocus>
--
GitLab
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment