Redirects can be used for XSS

[fprochazka]

If the attacker finds a hole, where he can provide an URL that is passed directly to Http\Response::redirect(), then he's able to create XSS.

for example

/some/page?redirect=%0Ajavascript:alert(/xss/)

Which executes to

public function actionPage($redirect)
{
    $this->redirectUri($redirect);
}

The browser won't redirect, because it's not a valid url, but HTML will be printed

Location: %0Ajavascript:alert(/xss/)


<h1>Redirect</h1>

<p><a href="
javascript:alert(/xss/)">Please click here to continue</a>.</p>

This happened to us in our mailing click-through counter.

---

Also relevant http://forum.nette.org/cs/21315-parsovani-absolutni-url-routerem-aplikace#p146150

[dg]

Can you fix it?

[fprochazka]

I suppose this should have a similar behaviour as Latte, when there is a variable in <a href>, right?

[JanTvrdik]

Maybe Validators::assert($url, 'url') will be enough.

[dg]

@JanTvrdik url may be relative

[dg]

(Why is „Close issue“ 3px near from „Comment“ dear @github? #uxfail)

[mishak87]

@fprochazka Latte regex for quick fix :)

[mishak87]

@dg It could be useful as Validators::isSafeUrl for checking before redirecting should I make a pull?