--- loncom/auth/lonlogin.pm 2021/09/28 21:16:07 1.187 +++ loncom/auth/lonlogin.pm 2021/10/06 19:28:55 1.188 @@ -1,7 +1,7 @@ # The LearningOnline Network # Login Screen # -# $Id: lonlogin.pm,v 1.187 2021/09/28 21:16:07 raeburn Exp $ +# $Id: lonlogin.pm,v 1.188 2021/10/06 19:28:55 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -38,6 +38,8 @@ use Apache::lonlocal; use Apache::migrateuser(); use lib '/home/httpd/lib/perl/'; use LONCAPA qw(:DEFAULT :match); +use URI::Escape; +use HTML::Entities(); use CGI::Cookie(); sub handler { @@ -111,7 +113,6 @@ sub handler { } my $lonhost = $r->dir_config('lonHostID'); - $env{'form.firsturl'} =~ s/(`)/'/g; # Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer) @@ -123,7 +124,12 @@ sub handler { $protocol = 'http' if ($protocol ne 'https'); my $dest = '/adm/roles'; if ($env{'form.firsturl'} ne '') { - $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&'); + if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) { + $dest = &uri_escape_utf8($env{'form.firsturl'}); + } else { + $dest = &uri_escape($env{'form.firsturl'}); + } + $dest = &HTML::Entities::encode($dest,"'"); } my %info = ( balcookie => $lonhost.':'.$balancer_cookie, @@ -203,7 +209,12 @@ sub handler { &Apache::loncommon::end_page(); my $dest = '/adm/roles'; if ($env{'form.firsturl'} ne '') { - $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&'); + if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) { + $dest = &uri_escape_utf8($env{'form.firsturl'}); + } else { + $dest = &uri_escape($env{'form.firsturl'}); + } + $dest = &HTML::Entities::encode($dest,"'"); } if (($env{'form.ltoken'}) || ($linkprot)) { unless ($linkprot) { @@ -796,8 +807,14 @@ HEADER $ssologin = $samlssourl; } if ($env{'form.firsturl'} ne '') { - $ssologin .= (($ssologin=~/\?/)?'&':'?') . - 'origurl='.&HTML::Entities::encode($env{'form.firsturl'},'\'<>&"'); + my $querystring; + if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) { + $querystring = &uri_escape_utf8($env{'form.firsturl'}); + } else { + $querystring = &uri_escape($env{'form.firsturl'}); + } + $querystring = &HTML::Entities::encode($querystring,"'"); + $ssologin .= (($ssologin=~/\?/)?'&':'?') . $querystring; } my $ssohref; if ($samlssoimg ne '') { @@ -1022,7 +1039,14 @@ sub redirect_page { } my $url = $protocol.'://'.$hostname.$path; if ($env{'form.firsturl'} ne '') { - $url .='?firsturl='.&HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');; + my $querystring; + if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) { + $querystring = &uri_escape_utf8($env{'form.firsturl'}); + } else { + $querystring = &uri_escape($env{'form.firsturl'}); + } + $querystring = &HTML::Entities::encode($querystring,"'"); + $url .='?firsturl='.$querystring } if ($linkprot) { my $ltoken = &Apache::lonnet::tmpput({linkprot => $linkprot},$desthost);