Prevent external redirects

2025-08-07 18:58:30 +02:00 · 2022-03-27 11:47:45 +02:00
parent eca98a13f5
commit 3906d9e5b8
3 changed files with 28 additions and 9 deletions
--- a/bookmarks/utils.py
+++ b/bookmarks/utils.py
@@ -1,3 +1,4 @@
+import re
 from datetime import datetime
 from typing import Optional

@@ -99,6 +100,6 @@ def parse_timestamp(value: str):

 def get_safe_return_url(return_url: str, fallback_url: str):
    # Use fallback if URL is none or URL is not on same domain
-    if not return_url or not return_url.startswith('/'):
+    if not return_url or not re.match(r'^/[a-z]+', return_url):
        return fallback_url
    return return_url