Fix XSS vulnerability on Stripe payment page

Author: excid3

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ### Unreleased
 
+* [SECURITY] Fix XSS vulnerability in back parameter on Stripe payment page
+  Previously, an attacker could inject Javascript or redirect the user to any URL by changing the `back` parameter in the URL.
+  The `back` parameter is now sanitized and restricted to relative paths.
 * Remove unused attributes for `plan` and `quantity` in `app/models/pay/customer.rb`.
 * Add explicit requires for `active_support` and `action_mailer` in `lib/pay.rb`. This should provide better errors for anyone not requiring all of Rails.
 

app/controllers/pay/payments_controller.rb

@@ -2,9 +2,18 @@ module Pay
   class PaymentsController < ApplicationController
     layout "pay/application"
 
+    before_action :set_redirect_to
+
     def show
-      @redirect_to = params[:back].presence || root_path
       @payment = Payment.from_id(params[:id])
     end
+
+    private
+
+    # Ensure the back parameter is a valid path
+    # This safely handles XSS or external redirects
+    def set_redirect_to
+      @redirect_to = URI.parse(params[:back].to_s).path || root_path
+    end
   end
 end

app/views/pay/payments/show.html.erb

@@ -54,7 +54,7 @@
         </div>
       <% end %>
 
-      <%= link_to t("pay.back"), @redirect_to, class: "inline-block w-full px-4 py-3 bg-gray-100 hover:bg-gray-200 text-center text-gray-600 rounded-lg" %>
+      <%= sanitize link_to(t("pay.back"), @redirect_to, class: "inline-block w-full px-4 py-3 bg-gray-100 hover:bg-gray-200 text-center text-gray-600 rounded-lg") %>
     </div>
 
     <p class="text-center text-gray-500 text-sm">