Redirect Security

[lonnieezell]

To help address Unvalidated Redirects and Forwards, the redirect() method should be able to restrict the URL to only URL's that have been defined in the routes file.

This should take effect by default, when the app is set to require all URL's to be routed.

It would be nice to have a way for it to be able to auto-detect a whitelist of URLs that can be used for this, but will need to be determined.

[sv3tli0]

I think that the best way is to have 2 different methods for that.
1st - Redirect to defined route .
2nd - Redirect to full url (remote or local doesn't matter) .
The security will be developers problem if they use the 2nd method, while the first one will throw "not existing" error if somebody try to enter invalid route...

[lonnieezell]

A global redirect() method has been provided that attempts to find a named route, or to match the desired route and parameters using reverse routing. If no match is found it is redirected as normal.

If a user needs more control, they can use $this->response->redirect() explicitly.