Commit 946b2e3a authored by Rafael Monnerat's avatar Rafael Monnerat

erp5_web_renderjs_ui: Ensure that came_from is html quoted before redirect

See merge request nexedi/erp5!1889
parents 4575983a 89838d4f
REQUEST = context.REQUEST REQUEST = context.REQUEST
RESPONSE = REQUEST.RESPONSE RESPONSE = REQUEST.RESPONSE
from ZTUtils import make_query
portal = context.getPortalObject() portal = context.getPortalObject()
...@@ -26,8 +27,13 @@ if (portal.portal_membership.isAnonymousUser()): ...@@ -26,8 +27,13 @@ if (portal.portal_membership.isAnonymousUser()):
else: else:
message = context.Base_translateString('Login and/or password is incorrect.') message = context.Base_translateString('Login and/or password is incorrect.')
url = '%s/login_form?portal_status_message=%s' % (context.absolute_url(), message) query_dict = {
url = came_from and '%s&came_from=%s' % (url, came_from) or url 'portal_status_message': message,
}
if came_from:
query_dict['came_from'] = came_from
url = '%s/login_form?%s' % (context.absolute_url(), make_query(query_dict))
RESPONSE.redirect(url) RESPONSE.redirect(url)
else: else:
# XXX How to warn user that password will expire? # XXX How to warn user that password will expire?
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment