fix: profile delete redirect and open redirect via //

2026-05-08 13:33:59 +02:00
parent 32b114cecd
commit 74fb893751
4 changed files with 5 additions and 2 deletions
--- a/crates/adapters/template-askama/Cargo.toml
+++ b/crates/adapters/template-askama/Cargo.toml
@@ -8,6 +8,7 @@ askama = { version = "0.16.0" }

 serde = { workspace = true }
 chrono = { workspace = true }
+uuid = { workspace = true }

 domain = { workspace = true }
 application = { workspace = true }
--- a/crates/adapters/template-askama/src/lib.rs
+++ b/crates/adapters/template-askama/src/lib.rs
@@ -71,6 +71,7 @@ struct MonthlyRatingRow<'a> {
 struct ProfileTemplate<'a> {
    ctx: &'a HtmlPageContext,
    profile_display_name: String,
+    profile_user_id: uuid::Uuid,
    stats: &'a UserStats,
    view: &'a str,
    entries: Option<&'a Paginated<DiaryEntry>>,
@@ -239,6 +240,7 @@ impl HtmlRenderer for AskamaHtmlRenderer {
        ProfileTemplate {
            ctx: &data.ctx,
            profile_display_name,
+            profile_user_id: data.profile_user_id,
            stats: &data.stats,
            view: &data.view,
            entries: data.entries.as_ref(),
--- a/crates/adapters/template-askama/templates/profile.html
+++ b/crates/adapters/template-askama/templates/profile.html
@@ -141,7 +141,7 @@
        <div class="watched-at">{{ entry.review().watched_at().format("%Y-%m-%d") }}</div>
        {% if ctx.is_current_user(entry.review().user_id().value()) %}
        <form method="post" action="/reviews/{{ entry.review().id().value() }}/delete" class="delete-form">
-          <input type="hidden" name="redirect_after" value="?view={{ view }}&offset={{ current_offset }}">
+          <input type="hidden" name="redirect_after" value="/users/{{ profile_user_id }}?view={{ view }}&offset={{ current_offset }}">
          <button type="submit">Delete</button>
        </form>
        {% endif %}
--- a/crates/presentation/src/handlers.rs
+++ b/crates/presentation/src/handlers.rs
@@ -229,7 +229,7 @@ pub mod html {
            Ok(()) => {
                let redirect_url = form
                    .redirect_after
-                    .filter(|url| url.starts_with('/') || url.starts_with('?'))
+                    .filter(|url| (url.starts_with('/') && !url.starts_with("//")) || url.starts_with('?'))
                    .unwrap_or_else(|| "/".to_string());
                Redirect::to(&redirect_url).into_response()
            }