fatchan
/
jschan
mirror of https://gitgud.io/fatchan/jschan.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'safer-redirects' into 'master'

Browse Source 
safer redirects with login/logout

See merge request fatchan/jschan!170
merge-requests/208/head
Thomas Lynch 4 years ago
parent c5b10f7d5e 6f1ab5292f
commit fed813d50f
2 changed files with 7 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      helpers/checks/isloggedin.js
  2. 8
      models/forms/login.js

2
helpers/checks/isloggedin.js
Unescape View File

@ -7,7 +7,7 @@ module.exports = async (req, res, next) => {
let goto; let goto;
if (req.method === 'GET' && req.path) { if (req.method === 'GET' && req.path) {
//coming from a GET page isLoggedIn middleware check //coming from a GET page isLoggedIn middleware check
goto = req.path; goto = encodeURIComponent(req.path);
} }
return res.redirect(`/login.html${goto ? '?goto='+goto : ''}`); return res.redirect(`/login.html${goto ? '?goto='+goto : ''}`);
} }

8
models/forms/login.js
Unescape View File

@ -8,8 +8,12 @@ module.exports = async (req, res, next) => {
const username = req.body.username.toLowerCase(); const username = req.body.username.toLowerCase();
const password = req.body.password; const password = req.body.password;
const goto = req.body.goto || '/account.html'; let goto = req.body.goto;
const failRedirect = `/login.html${goto ? '?goto='+goto : ''}` // we don't want to redirect the user to random sites
if (goto == null || !/^\/[0-9a-zA-Z][0-9a-zA-Z._/-]*$/.test(goto)) {
goto = '/account.html';
}
const failRedirect = `/login.html${goto ? '?goto='+encodeURIComponent(goto) : ''}`
//fetch an account //fetch an account
const account = await Accounts.findOne(username); const account = await Accounts.findOne(username);

Write Preview
Loading…
Cancel
Save