From a282539151417b53a62f5eb612a1f3a9a0683f03 Mon Sep 17 00:00:00 2001
From: Gabriel Kaszewski <gabrielkaszewski@gmail.com>
Date: Fri, 8 May 2026 13:33:59 +0200
Subject: [PATCH] fix: profile delete redirect and open redirect via //

---
 crates/adapters/template-askama/Cargo.toml             | 1 +
 crates/adapters/template-askama/src/lib.rs             | 2 ++
 crates/adapters/template-askama/templates/profile.html | 2 +-
 crates/presentation/src/handlers.rs                    | 2 +-
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/crates/adapters/template-askama/Cargo.toml b/crates/adapters/template-askama/Cargo.toml
index af60b90..1769697 100644
--- a/crates/adapters/template-askama/Cargo.toml
+++ b/crates/adapters/template-askama/Cargo.toml
@@ -8,6 +8,7 @@ askama = { version = "0.16.0" }
 
 serde = { workspace = true }
 chrono = { workspace = true }
+uuid = { workspace = true }
 
 domain = { workspace = true }
 application = { workspace = true }
diff --git a/crates/adapters/template-askama/src/lib.rs b/crates/adapters/template-askama/src/lib.rs
index c45e8a2..e2dfa48 100644
--- a/crates/adapters/template-askama/src/lib.rs
+++ b/crates/adapters/template-askama/src/lib.rs
@@ -71,6 +71,7 @@ struct MonthlyRatingRow<'a> {
 struct ProfileTemplate<'a> {
     ctx: &'a HtmlPageContext,
     profile_display_name: String,
+    profile_user_id: uuid::Uuid,
     stats: &'a UserStats,
     view: &'a str,
     entries: Option<&'a Paginated<DiaryEntry>>,
@@ -239,6 +240,7 @@ impl HtmlRenderer for AskamaHtmlRenderer {
         ProfileTemplate {
             ctx: &data.ctx,
             profile_display_name,
+            profile_user_id: data.profile_user_id,
             stats: &data.stats,
             view: &data.view,
             entries: data.entries.as_ref(),
diff --git a/crates/adapters/template-askama/templates/profile.html b/crates/adapters/template-askama/templates/profile.html
index 3c94271..1cb39ea 100644
--- a/crates/adapters/template-askama/templates/profile.html
+++ b/crates/adapters/template-askama/templates/profile.html
@@ -141,7 +141,7 @@
         <div class="watched-at">{{ entry.review().watched_at().format("%Y-%m-%d") }}</div>
         {% if ctx.is_current_user(entry.review().user_id().value()) %}
         <form method="post" action="/reviews/{{ entry.review().id().value() }}/delete" class="delete-form">
-          <input type="hidden" name="redirect_after" value="?view={{ view }}&offset={{ current_offset }}">
+          <input type="hidden" name="redirect_after" value="/users/{{ profile_user_id }}?view={{ view }}&offset={{ current_offset }}">
           <button type="submit">Delete</button>
         </form>
         {% endif %}
diff --git a/crates/presentation/src/handlers.rs b/crates/presentation/src/handlers.rs
index fc42fce..8a14ab2 100644
--- a/crates/presentation/src/handlers.rs
+++ b/crates/presentation/src/handlers.rs
@@ -229,7 +229,7 @@ pub mod html {
             Ok(()) => {
                 let redirect_url = form
                     .redirect_after
-                    .filter(|url| url.starts_with('/') || url.starts_with('?'))
+                    .filter(|url| (url.starts_with('/') && !url.starts_with("//")) || url.starts_with('?'))
                     .unwrap_or_else(|| "/".to_string());
                 Redirect::to(&redirect_url).into_response()
             }