Warn user about open redirects #7056
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
javiereguiluz approved these changes Nov 21, 2016
There was a problem hiding this comment.
👍 I agree with this because the Symfony Docs has always been about making our readers better developers, not only better Symfony developers.
I propose to display this as a caution instead of a tip and to remove the explicit reference to OWASP. If you don't agree with these changes, please tell us. Thanks!
| Thank you @pascaldevink. |
xabbuh added a commit that referenced this pull request Nov 22, 2016
This PR was submitted for the master branch but it was merged into the 2.7 branch instead (closes #7056). Discussion ---------- Warn user about open redirects The `redirect()` method is open to open redirects if user input is directly passed as parameter. This is of course as intended, and most people would know directly passing user input is never wise, but I think that warning developers can not be done enough. I hope this message is clear, but please let me know of any better wording or if the `tip` context is the right one to use here. Commits ------- 8f77746 Reworded the caution about open redirects 4a4a5fa Warn user about open redirects
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
The
redirect()method is open to open redirects if user input is directly passed as parameter. This is of course as intended, and most people would know directly passing user input is never wise, but I think that warning developers can not be done enough.I hope this message is clear, but please let me know of any better wording or if the
tipcontext is the right one to use here.