[aur-dev] [PATCH] Redirect at previous page after a successful login

Marcel Korpel marcel.korpel at gmail.com
Fri Jun 19 12:51:46 UTC 2015


* Gordian Edenhofer <gordian.edenhofer at gmail.com> (Thu, 18 Jun 2015
21:28:17 +0200):
> After the user was authenticated a redirect to the site which
> linked the user to the login page is done. This fixes FS#32481.
> ---
[…]
> +				<input id="id_referer" type="hidden"
> name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ?
> $_SERVER['HTTP_REFERER'] : '/'; ?>" /> </p> </fieldset>

You should use htmlspecialchars here, &s should be encoded as & etc.

But I fear this method has the same drawback as mine: the user can
tamper with those hidden form fields.


More information about the aur-dev mailing list