Background information
This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.
Problem/Motivation
RedirectResponseSubscriber prevents redirect responses from redirecting to untrusted URLs.
For example this is not allowed:
public function test() {
return new RedirectResponse('http://example.com');
}
But it seems we don't have anything like this for HTMX responses.
If I create a controller like this:
public function test() {
$response = new Response();
$htmx = new Htmx();
$htmx->redirectHeader(Url::fromUri('http://example.com'));
$response->headers->add($htmx->getHeaders()->all());
return $response;
}
Then trigger it with this HTML:
<a data-hx-trigger="click" data-hx-get="/test">Click me</a>
The redirect works.
Additionally, HTMX accepts javascript: URLs in redirect:
public function test() {
$response = new Response();
$response->headers->set('HX-Redirect', 'javascript:alert()');
return $response;
}
But it can't be set with Htmx::redirectHeader() because Uri objects don't accept the javascript schema.
Steps to reproduce
Proposed resolution
Remaining tasks
User interface changes
Introduced terminology
API changes
Data model changes
Release notes snippet
Comments