fix: profile delete redirect and open redirect via //

2026-05-08 13:33:59 +02:00
parent 5f8eba9f84
commit a282539151
4 changed files with 5 additions and 2 deletions
--- a/crates/presentation/src/handlers.rs
+++ b/crates/presentation/src/handlers.rs
@@ -229,7 +229,7 @@ pub mod html {
            Ok(()) => {
                let redirect_url = form
                    .redirect_after
-                    .filter(|url| url.starts_with('/') || url.starts_with('?'))
+                    .filter(|url| (url.starts_with('/') && !url.starts_with("//")) || url.starts_with('?'))
                    .unwrap_or_else(|| "/".to_string());
                Redirect::to(&redirect_url).into_response()
            }