}
/**
- * Instead of outputting a fatal error message, we'll just redirect to the entryURL if present
+ * Instead of outputting a fatal error message, we'll just redirect
+ * to the entryURL if present
*
* @return void
*/
public function invalidKeyRedirect() {
- if ($this->_entryURL) {
- CRM_Core_Session::setStatus(ts('Your browser session has expired and we are unable to complete your form submission. We have returned you to the initial step so you can complete and resubmit the form. If you experience continued difficulties, please contact us for assistance.'));
- return CRM_Utils_System::redirect($this->_entryURL);
- }
- else {
- self::invalidKeyCommon();
+ if ($this->_entryURL && $url_parts = parse_url($this->_entryURL)) {
+ // CRM-16832: Ensure local redirects only.
+ if (!empty($url_parts['path'])) {
+ // Prepend a slash, but don't duplicate it.
+ $redirect_url = '/' . ltrim($url_parts['path'], '/');
+ if (!empty($url_parts['query'])) {
+ $redirect_url .= '?' . $url_parts['query'];
+ }
+ CRM_Core_Session::setStatus(ts('Your browser session has expired and we are unable to complete your form submission. We have returned you to the initial step so you can complete and resubmit the form. If you experience continued difficulties, please contact us for assistance.'));
+ return CRM_Utils_System::redirect($redirect_url);
+ }
}
+ self::invalidKeyCommon();
}
}