def validate_next_url(next_url): """ Non-view helper function that checks `next_url`. Only allow redirects which are relative root or full domain (CAS, OSF and MFR). Disallows external redirects. :param next_url: the next url to check :return: True if valid, False otherwise """ # disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests # like http:// or https:// depending on the use of SSL on the page already. if next_url.startswith('//'): return False # only OSF, MFR, CAS and Branded Preprints domains are allowed if next_url[0] == '/' or next_url.startswith(settings.DOMAIN): # OSF return True if next_url.startswith(settings.CAS_SERVER_URL) or next_url.startswith( settings.MFR_SERVER_URL): # CAS or MFR return True for url in campaigns.get_external_domains(): # Branded Preprints Phase 2 if next_url.startswith(url): return True return False
def validate_next_url(next_url): """ Non-view helper function that checks `next_url`. Only allow redirects which are relative root or full domain (CAS, OSF and MFR). Disallows external redirects. :param next_url: the next url to check :return: True if valid, False otherwise """ # disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests # like http:// or https:// depending on the use of SSL on the page already. if next_url.startswith('//'): return False # only OSF, MFR, CAS and Branded Preprints domains are allowed if next_url[0] == '/' or next_url.startswith(settings.DOMAIN): # OSF return True if next_url.startswith(settings.CAS_SERVER_URL) or next_url.startswith(settings.MFR_SERVER_URL): # CAS or MFR return True for url in Region.objects.values_list('mfr_url', flat=True): if next_url.startswith(url): return True for url in campaigns.get_external_domains(): # Branded Preprints Phase 2 if next_url.startswith(url): return True return False