This check (I think that) protects you from 'javascript:' URL...
Indeed, it appears to have some value. Clicking on the link that
results from the following URL gives me a javascript alert:
https://cas.example.com/cas/logout?url=javascript:alert('Oops')
If you're going to the trouble of string checking, I'd recommend you go
all the way and do what Jérôme suggested and match against a regex that
describes a whitelist of allowed services. Just off the top of my head:
^https?://([A-Za-z0-9_-]+\.)*yourdomain\.tld(:\d+)?/.*
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
