Fix referer escaping

2024-07-16 02:21:18 +02:00 · 2019-05-03 12:15:21 -05:00 · 2019-05-03 12:15:21 -05:00 · ad8750b40d
commit ad8750b40d
parent 757ea93393
6 changed files with 6 additions and 6 deletions
--- a/src/invidious/views/clear_watch_history.ecr
+++ b/src/invidious/views/clear_watch_history.ecr
@ -13,7 +13,7 @@
                </button>
            </div>
            <div class="pure-u-1-2">
-                <a class="pure-button" href="<%= referer %>">
+                <a class="pure-button" href="<%= URI.escape(referer) %>">
                    <%= translate(locale, "No") %>
                </a>
            </div>
--- a/src/invidious/views/data_control.ecr
+++ b/src/invidious/views/data_control.ecr
@ -3,7 +3,7 @@
 <% end %>
 <div class="h-box">
-    <form class="pure-form pure-form-aligned" enctype="multipart/form-data" action="/data_control?referer=<%= referer %>" method="post">
+    <form class="pure-form pure-form-aligned" enctype="multipart/form-data" action="/data_control?referer=<%= URI.escape(referer) %>" method="post">
        <fieldset>
            <legend><%= translate(locale, "Import") %></legend>
--- a/src/invidious/views/delete_account.ecr
+++ b/src/invidious/views/delete_account.ecr
@ -13,7 +13,7 @@
                </button>
            </div>
            <div class="pure-u-1-2">
-                <a class="pure-button" href="<%= referer %>">
+                <a class="pure-button" href="<%= URI.escape(referer) %>">
                    <%= translate(locale, "No") %>
                </a>
            </div>
--- a/src/invidious/views/preferences.ecr
+++ b/src/invidious/views/preferences.ecr
@ -9,7 +9,7 @@ function update_value(element) {
 </script>
 <div class="h-box">
-    <form class="pure-form pure-form-aligned" action="/preferences?referer=<%= referer %>" method="post">
+    <form class="pure-form pure-form-aligned" action="/preferences?referer=<%= URI.escape(referer) %>" method="post">
        <fieldset>
            <legend><%= translate(locale, "Player preferences") %></legend>
--- a/src/invidious/views/subscription_manager.ecr
+++ b/src/invidious/views/subscription_manager.ecr
@ -19,7 +19,7 @@
    </div>
    <div class="pure-u-1-3" style="text-align:right">
        <h3>
-            <a href="/data_control?referer=<%= referer %>">
+            <a href="/data_control?referer=<%= URI.escape(referer) %>">
                <%= translate(locale, "Import/export") %>
            </a>
        </h3>
--- a/src/invidious/views/token_manager.ecr
+++ b/src/invidious/views/token_manager.ecr
@ -11,7 +11,7 @@
    <div class="pure-u-1-3"></div>
    <div class="pure-u-1-3" style="text-align:right">
        <h3>
-            <a href="/preferences?referer=<%= referer %>"><%= translate(locale, "Preferences") %></a>
+            <a href="/preferences?referer=<%= URI.escape(referer) %>"><%= translate(locale, "Preferences") %></a>
        </h3>
    </div>
 </div>