Validate back_url everywhere (#32850).

Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@19488 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2020-02-02 08:39:22 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2020-02-02 08:39:22 +0000
commit: 0cd14b3a4bdcd740f98fb4deb8afd71974888a40 (patch)
tree: d53e5ff447772a9427438bed9d3f3724e6f82c8a /app/helpers/application_helper.rb
parent: b3cda4fd61913af4a2bb2b6e47354d3e389cbad6 (diff)
download: redmine-0cd14b3a4bdcd740f98fb4deb8afd71974888a40.tar.gz
redmine-0cd14b3a4bdcd740f98fb4deb8afd71974888a40.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 6a7812e4a..9fb6a56c2 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -1426,12 +1426,12 @@ module ApplicationHelper
   end
 
   def back_url_hidden_field_tag
-    url = back_url
+    url = validate_back_url(back_url)
     hidden_field_tag('back_url', url, :id => nil) unless url.blank?
   end
 
   def cancel_button_tag(fallback_url)
-    url = back_url.blank? ? fallback_url : back_url
+    url = validate_back_url(back_url) || fallback_url
     link_to l(:button_cancel), url
   end
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2020-02-02 08:39:22 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2020-02-02 08:39:22 +0000
commit	0cd14b3a4bdcd740f98fb4deb8afd71974888a40 (patch)
tree	d53e5ff447772a9427438bed9d3f3724e6f82c8a /app/helpers/application_helper.rb
parent	b3cda4fd61913af4a2bb2b6e47354d3e389cbad6 (diff)
download	redmine-0cd14b3a4bdcd740f98fb4deb8afd71974888a40.tar.gz redmine-0cd14b3a4bdcd740f98fb4deb8afd71974888a40.zip