diff options
-rwxr-xr-x | classes/handler/public.php | 6 | ||||
-rw-r--r-- | plugins/auth_internal/init.php | 4 |
2 files changed, 5 insertions, 5 deletions
diff --git a/classes/handler/public.php b/classes/handler/public.php index d776e27cd..d7a7010fe 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -416,10 +416,10 @@ class Handler_Public extends Handler { $_SESSION["login_error_msg"] ??= __("Incorrect username or password"); } - $return = clean($_REQUEST['return']); + $return = clean($_REQUEST['return'] ?? ''); - if ($_REQUEST['return'] && mb_strpos($return, Config::get_self_url()) === 0) { - header("Location: " . clean($_REQUEST['return'])); + if ($return && mb_strpos($return, Config::get_self_url()) === 0) { + header("Location: $return"); } else { header("Location: " . Config::get_self_url()); } diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index f113cd31e..697d0d0d2 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -36,7 +36,7 @@ class Auth_Internal extends Auth_Base { return false; } else { - $return = urlencode($_REQUEST["return"]); + $return = urlencode(with_trailing_slash($_REQUEST["return"])); ?> <!DOCTYPE html> <html> @@ -81,7 +81,7 @@ class Auth_Internal extends Auth_Base { <body class="flat ttrss_utility otp css_loading"> <h1><?= __("Authentication") ?></h1> <div class="content"> - <form dojoType="dijit.form.Form" action="public.php?return=<?= urlencode(with_trailing_slash($return)) ?>" method="post" class="otpform"> + <form dojoType="dijit.form.Form" action="public.php?return=<?= $return ?>" method="post" class="otpform"> <?php foreach (["login", "password", "bw_limit", "safe_mode", "remember_me", "profile"] as $key) { print \Controls\hidden_tag($key, $_POST[$key] ?? ""); |