From b9324a42ef0605b3ac507d89efb748416c68d4d8 Mon Sep 17 00:00:00 2001
From: Paul Schilling <mail@paulschilling.de>
Date: Tue, 23 Apr 2024 14:56:20 +0200
Subject: [PATCH] [#2240] Avoid open redirects

---
 src/open_inwoner/openklant/views/contactform.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/open_inwoner/openklant/views/contactform.py b/src/open_inwoner/openklant/views/contactform.py
index 0038da5642..90f4ff8115 100644
--- a/src/open_inwoner/openklant/views/contactform.py
+++ b/src/open_inwoner/openklant/views/contactform.py
@@ -1,5 +1,9 @@
+from django.conf import settings
 from django.contrib import messages
+from django.urls import reverse
+from django.utils.encoding import iri_to_uri
 from django.utils.functional import cached_property
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import FormView
 
@@ -26,7 +30,14 @@ def page_title(self):
         return _("Contact formulier")
 
     def get_success_url(self):
-        return self.request.path
+        success_url = self.request.path
+        if url_has_allowed_host_and_scheme(
+            success_url,
+            allowed_hosts=[self.request.get_host()],
+            require_https=settings.IS_HTTPS,
+        ):
+            return iri_to_uri(success_url)
+        return reverse("contactform")
 
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()