Fix open redirect
This commit is contained in:
parent
3848a2fec5
commit
4e03ed1ea4
|
@ -63,7 +63,7 @@ public class EditUserModel : PageModel {
|
||||||
if (Request.Form["action"] == "save" && Request.Form.ContainsKey("nickname") && !string.IsNullOrWhiteSpace(Request.Form["nickname"])) {
|
if (Request.Form["action"] == "save" && Request.Form.ContainsKey("nickname") && !string.IsNullOrWhiteSpace(Request.Form["nickname"])) {
|
||||||
var nick = Request.Form["nickname"].ToString();
|
var nick = Request.Form["nickname"].ToString();
|
||||||
if (db.Users.Any(p => p.Nickname == nick && p.Id != userId)) {
|
if (db.Users.Any(p => p.Nickname == nick && p.Id != userId)) {
|
||||||
Response.Redirect($"/ErrorRedirect?redir=/EditUser/{userId}&message=" + WebUtility.UrlEncode("User with nick already exists."));
|
Response.Redirect($"/ErrorRedirect?redir=EditUser/{userId}&message=" + WebUtility.UrlEncode("User with nick already exists."));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
@page
|
@page
|
||||||
@{
|
@{
|
||||||
ViewData["Title"] = "Error";
|
ViewData["Title"] = "Error";
|
||||||
|
var target = "/" + Request.Query["redir"];
|
||||||
}
|
}
|
||||||
|
|
||||||
@section Header {
|
@section Header {
|
||||||
<meta http-equiv="refresh" content="5;@(Request.Query.ContainsKey("redir") ? Request.Query["redir"] : "/")"/>
|
<meta http-equiv="refresh" content="5;@target"/>
|
||||||
}
|
}
|
||||||
<div class="alert alert-danger" role="alert">
|
<div class="alert alert-danger" role="alert">
|
||||||
@Request.Query["message"]
|
@Request.Query["message"]
|
||||||
|
|
|
@ -32,7 +32,7 @@ public class IndexModel : PageModel {
|
||||||
if (Request.Form.ContainsKey("nickname") && !string.IsNullOrWhiteSpace(Request.Form["nickname"])) {
|
if (Request.Form.ContainsKey("nickname") && !string.IsNullOrWhiteSpace(Request.Form["nickname"])) {
|
||||||
var nick = Request.Form["nickname"];
|
var nick = Request.Form["nickname"];
|
||||||
if (db.Users.Any(p => p.Nickname == nick.ToString())) {
|
if (db.Users.Any(p => p.Nickname == nick.ToString())) {
|
||||||
Response.Redirect("/ErrorRedirect?redir=/%23add_user&message=" + WebUtility.UrlEncode("User with nick already exists."));
|
Response.Redirect("/ErrorRedirect?redir=%23add_user&message=" + WebUtility.UrlEncode("User with nick already exists."));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -43,7 +43,7 @@ public class IndexModel : PageModel {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
Response.Redirect("/ErrorRedirect?redir=/%23add_user&message=" + WebUtility.UrlEncode("Nickname must not be empty."));
|
Response.Redirect("/ErrorRedirect?redir=%23add_user&message=" + WebUtility.UrlEncode("Nickname must not be empty."));
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
Response.Redirect("/");
|
Response.Redirect("/");
|
||||||
|
|
Loading…
Reference in a new issue