1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Prevent External Redirect (using styles)

Discussion in 'Resolved Bug Reports' started by James, Jan 2, 2011.

  1. James

    James Well-Known Member

    The styles use an &redirect parameter to redirect, but you can allow redirecting to URLs (or URIs however pedantic you wish to be) that aren't part of the local domain.

    Recommendation: Only allow redirection to area of local domain.

    Example:
    http://xenforo.com/community/misc/style?style_id=3&redirect=http://www.google.com

    Also, when redirecting once to an external URL, it seems to automatically redirect you to that URL every time you change styles *more testing needed*
     
  2. Mike

    Mike XenForo Developer Staff Member

    Fixed locally - it compares the domain part of the requested redirect before following it.
     
    James likes this.
  3. James

    James Well-Known Member

    What happens when it detects an external link? Does it redirect to the homepage?
     
  4. Mike

    Mike XenForo Developer Staff Member

    In general, yes.
     

Share This Page