* Gordian Edenhofer <gordian.edenho...@gmail.com> (Thu, 18 Jun 2015 21:28:17 +0200): > After the user was authenticated a redirect to the site which > linked the user to the login page is done. This fixes FS#32481. > --- […] > + <input id="id_referer" type="hidden" > name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? > $_SERVER['HTTP_REFERER'] : '/'; ?>" /> </p> </fieldset>
You should use htmlspecialchars here, &s should be encoded as & etc. But I fear this method has the same drawback as mine: the user can tamper with those hidden form fields.