Escape next_path URL in validate_referral_url

Gee19 · Gee19 · commit e688b7684841 · 2022-11-30T21:44:18.000-05:00
- backslashes are safe
diff --git a/djangosaml2/utils.py b/djangosaml2/utils.py
@@ -110,7 +110,8 @@ def validate_referral_url(request, url):
 
     if not url_has_allowed_host_and_scheme(url=url, allowed_hosts=saml_allowed_hosts):
         return get_fallback_login_redirect_url()
-    return url
+
+    return urllib.parse.quote(url, safe="/")
 
 
 def saml2_from_httpredirect_request(url):
