Encodes correctly the login regirect URL parameters

2025-12-15 18:27:47 +02:00 · 2025-12-15 18:27:47 +02:00 · a272294fc0
parent b239b73689
commit a272294fc0
2 changed files with 5 additions and 3 deletions
--- a/app/pages/login.php
+++ b/app/pages/login.php
@ -300,6 +300,6 @@ function handleSuccessfulLogin($userId, $username, $rememberMe, $config, $app_ro
    ) {
        $redirect = $candidate;
    }
-    header('Location: ' . htmlspecialchars($redirect));
+    header('Location: ' . $redirect);
    exit();
 }
--- a/app/templates/form-login.php
+++ b/app/templates/form-login.php
@ -43,8 +43,10 @@
                            <i class="fas fa-sign-in-alt me-2"></i>Sign in
                        </button>
                    </div>
-<?php if (isset($_GET['redirect'])): ?>
-                    <input type="hidden" name="redirect" value="<?php echo htmlspecialchars($_GET['redirect']); ?>">
+<?php if (isset($_GET['redirect'])):
+    $loginRawRedirect = $_GET['redirect'];
+?>
+                    <input type="hidden" name="redirect" value="<?= htmlspecialchars($loginRawRedirect, ENT_QUOTES, 'UTF-8'); ?>">
 <?php endif; ?>
                </form>
            </div>