Fix open redirect
This commit is contained in:
parent
3848a2fec5
commit
4e03ed1ea4
|
@ -63,7 +63,7 @@ public class EditUserModel : PageModel {
|
|||
if (Request.Form["action"] == "save" && Request.Form.ContainsKey("nickname") && !string.IsNullOrWhiteSpace(Request.Form["nickname"])) {
|
||||
var nick = Request.Form["nickname"].ToString();
|
||||
if (db.Users.Any(p => p.Nickname == nick && p.Id != userId)) {
|
||||
Response.Redirect($"/ErrorRedirect?redir=/EditUser/{userId}&message=" + WebUtility.UrlEncode("User with nick already exists."));
|
||||
Response.Redirect($"/ErrorRedirect?redir=EditUser/{userId}&message=" + WebUtility.UrlEncode("User with nick already exists."));
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
@page
|
||||
@{
|
||||
ViewData["Title"] = "Error";
|
||||
var target = "/" + Request.Query["redir"];
|
||||
}
|
||||
|
||||
@section Header {
|
||||
<meta http-equiv="refresh" content="5;@(Request.Query.ContainsKey("redir") ? Request.Query["redir"] : "/")"/>
|
||||
<meta http-equiv="refresh" content="5;@target"/>
|
||||
}
|
||||
<div class="alert alert-danger" role="alert">
|
||||
@Request.Query["message"]
|
||||
|
|
|
@ -32,7 +32,7 @@ public class IndexModel : PageModel {
|
|||
if (Request.Form.ContainsKey("nickname") && !string.IsNullOrWhiteSpace(Request.Form["nickname"])) {
|
||||
var nick = Request.Form["nickname"];
|
||||
if (db.Users.Any(p => p.Nickname == nick.ToString())) {
|
||||
Response.Redirect("/ErrorRedirect?redir=/%23add_user&message=" + WebUtility.UrlEncode("User with nick already exists."));
|
||||
Response.Redirect("/ErrorRedirect?redir=%23add_user&message=" + WebUtility.UrlEncode("User with nick already exists."));
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -43,7 +43,7 @@ public class IndexModel : PageModel {
|
|||
return;
|
||||
}
|
||||
|
||||
Response.Redirect("/ErrorRedirect?redir=/%23add_user&message=" + WebUtility.UrlEncode("Nickname must not be empty."));
|
||||
Response.Redirect("/ErrorRedirect?redir=%23add_user&message=" + WebUtility.UrlEncode("Nickname must not be empty."));
|
||||
}
|
||||
else {
|
||||
Response.Redirect("/");
|
||||
|
|
Loading…
Reference in a new issue