== How to fix it in Django

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
from django.http import HttpResponseRedirect

def redirect():
    url = request.GET.get("url", "/")
    return HttpResponseRedirect(url)  # Noncompliant
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
from django.http import HttpResponseRedirect
from urllib.parse import urlparse

allow_list = ['www.example.com', 'example.com']

def redirect():
    url = request.GET.get("url", "/")
    parsed_url = urlparse(url)
    if parsed_url.netloc in allow_list:
        return HttpResponseRedirect("https://" + parsed_url.netloc)
    return HttpResponseRedirect("/")
----

include::../../common/fix/how-does-this-work.adoc[]

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]