Skip to content

[5.x] Allow external redirects from Form::getSubmissionRedirect#14318

Merged
jasonvarga merged 2 commits into5.xfrom
fix-form-external-redirect
Mar 22, 2026
Merged

[5.x] Allow external redirects from Form::getSubmissionRedirect#14318
jasonvarga merged 2 commits into5.xfrom
fix-form-external-redirect

Conversation

@jasonvarga
Copy link
Member

@jasonvarga jasonvarga commented Mar 22, 2026

Summary

  • Moves the external URL check from formSuccess into formSuccessRedirect so it only blocks user-controlled _redirect params
  • Trusted developer-defined redirects via Form::getSubmissionRedirect are now allowed to redirect to external URLs (e.g. payment providers)

Fixes #14317

🤖 Generated with Claude Code

jasonvarga and others added 2 commits March 22, 2026 10:13
@jasonvarga @claude
Allow external redirects from Form::getSubmissionRedirect
d12fde2 
Move the external URL check into formSuccessRedirect so it only
blocks user-controlled _redirect params, not trusted developer-defined
redirects via Form::getSubmissionRedirect.

Fixes #14317

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jasonvarga @claude
Refactor formSuccessRedirect to use early return for developer-define…
38186c4 
…d redirects

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jasonvarga jasonvarga marked this pull request as ready for review March 22, 2026 14:47
@jasonvarga jasonvarga merged commit 828bbf9 into 5.x Mar 22, 2026
27 checks passed
@jasonvarga jasonvarga deleted the fix-form-external-redirect branch March 22, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonvarga