diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-11 12:08:10 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-11 12:08:10 +0300 |
commit | fb7b6bceee41fc6e5dba72a24519dec8f2713075 (patch) | |
tree | b6795a858de5d692aab9de4676c20ba8dd5438f5 /app/views/doorkeeper | |
parent | 18b54e46b77786995acdb1026c2ec35956e33780 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/views/doorkeeper')
-rw-r--r-- | app/views/doorkeeper/authorizations/redirect.html.haml | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/app/views/doorkeeper/authorizations/redirect.html.haml b/app/views/doorkeeper/authorizations/redirect.html.haml index 9580f33c88a..a9ac92fd087 100644 --- a/app/views/doorkeeper/authorizations/redirect.html.haml +++ b/app/views/doorkeeper/authorizations/redirect.html.haml @@ -5,4 +5,16 @@ = javascript_tag do :plain - window.location= "#{redirect_uri}"; + (function() { + // Only permit a basic set of characters in the fragment. + const allowedRegex = /^#[\w-]+$/g; + + const hash = window.location.hash; + let redirectUri = "#{redirect_uri}"; + + if (window.location.hash && window.location.hash.search(allowedRegex) === 0 && redirectUri.indexOf('#') === -1) { + redirectUri = redirectUri + hash; + } + + window.location = redirectUri; + })(); |