include::../description.adoc[]

== Noncompliant Code Example

Flask

----
from flask import request, redirect

@app.route('move')
def move():
    url = request.args["next"]
    return redirect(url) # Noncompliant
----

Django

----
from django.http import HttpResponseRedirect

def move(request):
    url = request.GET.get("next", "/")
    return HttpResponseRedirect(url) # Noncompliant
----

== Compliant Solution

Flask

----
from flask import request, redirect, url_for

@app.route('move')
def move():
    endpoint = request.args["next"]
    return redirect(url_for(endpoint)) # Compliant
----

Django

----
from django.http import HttpResponseRedirect
from urllib.parse import urlparse

DOMAINS_WHITELIST = ['www.example.com', 'example.com']

def move(request):
    url = request.GET.get("next", "/")
    parsed_uri = urlparse(url)
    if parsed_uri.netloc in DOMAINS_WHITELIST:
        return HttpResponseRedirect(url) # Compliant
    return HttpResponseRedirect("/")
----

include::../see.adoc[]