Skip to content

Open redirect in crud/default/views/_form.php #164

New issue
New issue
Open
Open
Open redirect in crud/default/views/_form.php#164
@id3s3c

Description

@id3s3c
id3s3c
opened on Mar 23, 2021

I was poking at one of my companies internal website and saw that changing the Referer: header redirected me to the location of the URL in it. After talking to the dev we fixed changing the line 103 from:

<?= "<?= " ?>Html::a(Yii::t('app', 'Cancel'), Yii::$app->request->referrer , ['class'=> 'btn btn-danger']) ?>

to

<?= "<?= " ?>Html::a(Yii::t('app', 'Cancel'), parse_url(Yii::$app->request->referrer, PHP_URL_PATH), ['class'=> 'btn btn-danger']) ?>

Cheers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions