Merge pull request #359 from Gee19/master

fix: XSS in next_path url param

Author: Giuseppe De Marco

djangosaml2/utils.py

@@ -110,7 +110,8 @@ def validate_referral_url(request, url):
 
     if not url_has_allowed_host_and_scheme(url=url, allowed_hosts=saml_allowed_hosts):
         return get_fallback_login_redirect_url()
-    return url
+
+    return urllib.parse.quote(url, safe="/")
 
 
 def saml2_from_httpredirect_request(url):

setup.py

@@ -27,7 +27,7 @@ def read(*rnames):
 
 setup(
     name="djangosaml2",
-    version="1.5.3",
+    version="1.5.4",
     description="pysaml2 integration for Django",
     long_description=read("README.md"),
     long_description_content_type="text/markdown",
@@ -61,9 +61,5 @@ def read(*rnames):
     packages=find_packages(exclude=["tests", "tests.*"]),
     include_package_data=True,
     zip_safe=False,
-    install_requires=[
-        "defusedxml>=0.4.1",
-        "Django>=2.2,<5",
-        "pysaml2>=6.5.1",
-    ],
+    install_requires=["defusedxml>=0.4.1", "Django>=2.2,<5", "pysaml2>=6.5.1"],
 )