[aur-dev] [PATCH] Redirect at previous page after a successful login
Marcel Korpel
marcel.korpel at gmail.com
Fri Jun 19 12:51:46 UTC 2015
* Gordian Edenhofer <gordian.edenhofer at gmail.com> (Thu, 18 Jun 2015
21:28:17 +0200):
> After the user was authenticated a redirect to the site which
> linked the user to the login page is done. This fixes FS#32481.
> ---
[…]
> + <input id="id_referer" type="hidden"
> name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ?
> $_SERVER['HTTP_REFERER'] : '/'; ?>" /> </p> </fieldset>
You should use htmlspecialchars here, &s should be encoded as & etc.
But I fear this method has the same drawback as mine: the user can
tamper with those hidden form fields.
More information about the aur-dev
mailing list