Add validation before using url

bookwyrm/views/reading.py

@@ -12,6 +12,7 @@ from django.views.decorators.http import require_POST
 
 from bookwyrm import forms, models
 from bookwyrm.views.shelf.shelf_actions import unshelve
+from bookwyrm.utils.validate import validate_url_domain
 from .status import CreateStatus
 from .helpers import get_edition, handle_reading_status, is_api_request
 from .helpers import load_date_in_user_tz_as_utc
@@ -43,6 +44,7 @@ class ReadingStatus(View):
     def post(self, request, status, book_id):
         """Change the state of a book by shelving it and adding reading dates"""
         next_step = request.POST.get("next", "/")
+        next_step = validate_url_domain(next_step, "/")
         identifier = {
             "want": models.Shelf.TO_READ,
             "start": models.Shelf.READING,

bookwyrm/views/shelf/shelf_actions.py

@@ -3,6 +3,7 @@ from django.db import IntegrityError, transaction
 from django.contrib.auth.decorators import login_required
 from django.shortcuts import get_object_or_404, redirect
 from django.views.decorators.http import require_POST
+from bookwyrm.utils.validate import validate_url_domain
 
 from bookwyrm import forms, models
 
@@ -36,6 +37,7 @@ def delete_shelf(request, shelf_id):
 def shelve(request):
     """put a book on a user's shelf"""
     next_step = request.POST.get("next", "/")
+    next_step = validate_url_domain(next_step, "/")
     book = get_object_or_404(models.Edition, id=request.POST.get("book"))
     desired_shelf = get_object_or_404(
         request.user.shelf_set, identifier=request.POST.get("shelf")
@@ -97,6 +99,7 @@ def shelve(request):
 def unshelve(request, book_id=False):
     """remove a book from a user's shelf"""
     next_step = request.POST.get("next", "/")
+    next_step = validate_url_domain(next_step, "/")
     identity = book_id if book_id else request.POST.get("book")
     book = get_object_or_404(models.Edition, id=identity)
     shelf_book = get_object_or_404(

bookwyrm/views/status.py

@@ -18,6 +18,7 @@ from django.views.decorators.http import require_POST
 from markdown import markdown
 from bookwyrm import forms, models
 from bookwyrm.utils import regex, sanitizer
+from bookwyrm.utils.validate import validate_url_domain
 from .helpers import handle_remote_webfinger, is_api_request
 from .helpers import load_date_in_user_tz_as_utc
 
@@ -59,6 +60,7 @@ class CreateStatus(View):
     def post(self, request, status_type, existing_status_id=None):
         """create status of whatever type"""
         next_step = request.POST.get("next", "/")
+        next_step = validate_url_domain(next_step, "/")
         created = not existing_status_id
         existing_status = None
         if existing_status_id:
@@ -169,6 +171,7 @@ def edit_readthrough(request):
     """can't use the form because the dates are too finnicky"""
     # TODO: remove this, it duplicates the code in the ReadThrough view
     next_step = request.POST.get("next", "/")
+    next_step = validate_url_domain(next_step, "/")
     readthrough = get_object_or_404(models.ReadThrough, id=request.POST.get("id"))
 
     readthrough.start_date = load_date_in_user_tz_as_utc(