diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php index a057538277df1bfb3eccd3d15bed33e5cfce207b..fd01223d794b57d42d9bc178309002425276a2ad 100644 --- a/lib/SimpleSAML/Utils/HTTP.php +++ b/lib/SimpleSAML/Utils/HTTP.php @@ -186,9 +186,10 @@ class HTTP echo '<html xmlns="http://www.w3.org/1999/xhtml">'."\n"; echo " <head>\n"; echo ' <meta http-equiv="content-type" content="text/html; charset=utf-8">'."\n"; + echo ' <meta http-equiv="refresh" content="0;URL=\''.htmlspecialchars($url).'\'">'."\n"; echo " <title>Redirect</title>\n"; echo " </head>\n"; - echo " <body onload=\"window.location.replace('".htmlspecialchars($url)."');\">\n"; + echo " <body>\n"; echo " <h1>Redirect</h1>\n"; echo ' <p>You were redirected to: <a id="redirlink" href="'.htmlspecialchars($url).'">'; echo htmlspecialchars($url)."</a>\n"; @@ -325,6 +326,10 @@ class HTTP } $url = self::normalizeURL($url); + if (filter_var($url, FILTER_VALIDATE_URL) === false) { + throw new \SimpleSAML_Error_Exception('Invalid URL: '.$url); + } + // get the white list of domains if ($trustedSites === null) { $trustedSites = \SimpleSAML_Configuration::getInstance()->getValue('trusted.url.domains', array());