Don’t allow arbitrary data in back urls

`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`

This commit restricts the back URL to valid
non-javascript URLs.

https://github.com/rails/rails/issues/14444

0 files changed, 0 insertions, 0 deletions