use secure url construction

Author: theskumar

hypha/core/middleware/htmx.py

@@ -1,5 +1,5 @@
 import json
-from urllib.parse import urlparse
+from urllib.parse import parse_qs, urlencode, urlparse
 
 from django.contrib.messages import get_messages
 from django.http import HttpRequest, HttpResponse
@@ -105,22 +105,10 @@ def __call__(self, request):
             # Set response status code to 204 for HTMX to process the redirect
             response.status_code = 204
 
-            # Create the redirect URL manually to avoid encoding issues
-            if redirect_url.query:
-                # Extract the query parameters
-                if "next=" in redirect_url.query:
-                    # Replace the existing next parameter
-                    import re
-
-                    new_query = re.sub(
-                        r"next=[^&]*", f"next={next_path}", redirect_url.query
-                    )
-                else:
-                    # Append a new next parameter
-                    new_query = f"{redirect_url.query}&next={next_path}"
-            else:
-                # No existing query parameters
-                new_query = f"next={next_path}"
+            # Update the "?next" query parameter
+            query_params = parse_qs(redirect_url.query)
+            query_params["next"] = [next_path]
+            new_query = urlencode(query_params, doseq=True)
 
             # Set the new HX-Redirect header
             response.headers["HX-Redirect"] = f"{redirect_url.path}?{new_query}"

hypha/core/middleware/tests/test_htmx_auth_redirect.py

@@ -82,7 +82,7 @@ def test_htmx_auth_redirect(request_factory, middleware, settings_with_login_url
 
     # Check that the response is modified with HX-Redirect
     assert response.status_code == 204
-    assert response.headers["HX-Redirect"] == "/accounts/login/?next=/private/"
+    assert response.headers["HX-Redirect"] == "/accounts/login/?next=%2Fprivate%2F"
 
 
 def test_htmx_auth_redirect_with_referer(
@@ -102,7 +102,7 @@ def test_htmx_auth_redirect_with_referer(
 
     # Check that the response uses the Referer's path in the next parameter
     assert response.status_code == 204
-    assert response.headers["HX-Redirect"] == "/accounts/login/?next=/some/page/"
+    assert response.headers["HX-Redirect"] == "/accounts/login/?next=%2Fsome%2Fpage%2F"
 
 
 def test_non_htmx_request_not_redirected(
@@ -137,7 +137,7 @@ def test_htmx_non_auth_redirect_not_affected(
 
     # Assert that the middleware handles the redirect with HX-Redirect
     assert response.status_code == 204
-    assert response.headers["HX-Redirect"] == "/other-page/?next=/redirect/"
+    assert response.headers["HX-Redirect"] == "/other-page/?next=%2Fredirect%2F"
 
 
 def test_htmx_normal_request(request_factory, middleware, settings_with_login_url):