Background information

This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.

Problem/Motivation

RedirectResponseSubscriber prevents redirect responses from redirecting to untrusted URLs.
For example this is not allowed:

  public function test() {
    return new RedirectResponse('http://example.com');
  }

But it seems we don't have anything like this for HTMX responses.
If I create a controller like this:

  public function test() {
    $response = new Response();

    $htmx = new Htmx();
    $htmx->redirectHeader(Url::fromUri('http://example.com'));
    $response->headers->add($htmx->getHeaders()->all());

    return $response;
  }

Then trigger it with this HTML:

<a data-hx-trigger="click" data-hx-get="/test">Click me</a>

The redirect works.

Additionally, HTMX accepts javascript: URLs in redirect:

  public function test() {
    $response = new Response();
    $response->headers->set('HX-Redirect', 'javascript:alert()');

    return $response;
  }

But it can't be set with Htmx::redirectHeader() because Uri objects don't accept the javascript schema.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

prudloff created an issue.