URL redirection from remote source (#29)

comic_auth/views.py

@@ -1,6 +1,7 @@
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.models import User
 from django.shortcuts import redirect, render
+from django.utils.http import url_has_allowed_host_and_scheme
 
 from comic_auth.forms import LoginForm
 
@@ -14,9 +15,12 @@ def comic_login(request):
                 if user.is_active:
                     login(request, user)
                     if "next" in request.GET:
+                        if url_has_allowed_host_and_scheme(request.GET["next"], allowed_hosts=None):
                             return redirect(request.GET["next"])
                         else:
                             return redirect("/comic/")
+                    else:
+                        return redirect("/comic/")
                 else:
                     return render(request, "comic_auth/login.html", {"error": True})
             else: