Open redirect vulnerability within the "next" parameter

Issue #101 resolved
Rémi Fat Cheung
created an issue

When viewing a message, just add the following ?next=//google.com to your url.

When clicking on the "back" link, or after the message is posted, the browser will be redirected to the link in the URL.

Not a major bug, but someone could eventually use that as a way to redirect visitors to a fishing website if they don't pay attention.

Comments (4)

  1. Patrick Samson repo owner
    • changed status to open

    My proposal is to silently suppress the scheme part and domain part, if present.

    That is: ?next=//elsewhere.com would be read as ?next= (so without effect), and ?next=http://elsewhere.com/page as ?next=/page.

    Is it OK for you?

  2. Log in to comment