19 Jun
2015
19 Jun
'15
12:51 p.m.
* Gordian Edenhofer <gordian.edenhofer@gmail.com> (Thu, 18 Jun 2015 21:28:17 +0200):
After the user was authenticated a redirect to the site which linked the user to the login page is done. This fixes FS#32481. --- […] + <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" /> </p> </fieldset>
You should use htmlspecialchars here, &s should be encoded as & etc. But I fear this method has the same drawback as mine: the user can tamper with those hidden form fields.