https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699 --- Comment #19 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #16)
Do we need some form of validation for $return?
100% The "return" param could either be window.location.pathname + window.location.search so the Perl could append that to OpacBaseURL, or "return" could be a full URL, and the Perl replaces the hostname with OpacBaseURL. This is the approach we use in C4::Auth_with_shibboleth, and it's something I've used elsewhere as well. The only downside I see is that it locks you into using the particular OpacBaseURL you have defined for that virtual host. Either way, we definitely need to validate/construct the URL, or else we're creating this problem: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_For... -- You are receiving this mail because: You are watching all bug changes.