Merge pull request #3 from skip-pay/FixMSOXSSVulnerability

fix MSO XSS vulnerability
skip-pay · May 16, 2023 · 8ce21b5 · 8ce21b5
2 parents c0a787d + 508a807
commit 8ce21b5
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/auth_token/contrib/common/default/views.py b/auth_token/contrib/common/default/views.py
@@ -1,3 +1,5 @@
+from urllib.parse import quote_plus
+
 from django.contrib.auth.views import LoginView, LogoutView
 from django.utils.decorators import method_decorator
 from django.urls import reverse, NoReverseMatch
@@ -40,7 +42,7 @@ def _get_sso_login_methods(self):
             return [
                 {
                     'name': 'microsoft',
-                    'url': f'{reverse("ms-sso-login")}?next={self.request.GET.get("next", "/")}',
+                    'url': f'{reverse("ms-sso-login")}?next={quote_plus(self.request.GET.get("next", "/"), safe="/")}',
                     'label': gettext('Continue with Microsoft account')
                 }
             ]