Adam Cooke 84f4e20f05 refactor(auth): tighten return_to validation ...

url_with_return_to only checked that return_to started with a forward
slash, which also allowed protocol-relative values like //host and
/\host. Rails 7.1 already refuses to follow those via redirect_to, so
the user just saw a 500. Reject the same shapes in the helper instead
so we fall back to the default URL cleanly.

Adds a sessions request spec covering the rejected shapes plus the
happy-path relative redirect.

2026-04-24 23:03:50 +01:00

..

assets

feat: openid connect support (#2873)

2024-03-12 17:40:07 +00:00

controllers

refactor(auth): tighten return_to validation

2026-04-24 23:03:50 +01:00

helpers

refactor(helpers): escape interpolated values in select options

2026-04-24 22:55:46 +01:00

lib

fix: typo in process logging (#3212)

2025-10-03 09:41:20 +01:00

mailers

fix: remove user email verification

2024-03-04 14:41:18 +00:00

models

chore: upgrade to rails 7.1 and ruby 3.4 (#3457)

2025-10-01 16:42:39 +01:00

scheduled_tasks

fix: raise NotImplementedError when no call method on a scheduled task

2024-06-20 14:27:20 +01:00

senders

fix(smtp-sender): ensure relays without a host are excluded

2024-03-21 12:33:34 +00:00

services

refactor: refactors message dequeueing (#2810)

2024-02-23 22:51:36 +00:00

util

fix(health_server): use rackup handler instead of rack handler

2025-10-01 18:12:26 +01:00

views

fix(messages): sandbox rendered email HTML as extra XSS defence

2026-04-24 22:12:27 +01:00