Redirecting User To Non Coded URL

Question

Our app POSTS user data and then get's a success or rejected response. The success response will come with a URL like such:

b'SUCCESS|http://examplesite.com/m.cfm?t=17&wm_login=info&gouser=50105E5C440'

The issue is when I split this data in python to so I can send users to the URL python encodes this URL so it no longer works.

There is no server error message but rather the error is apparent in the redirect URL:

http://examplesite.com/m.cfm?t=17&amp;wm_login=info&amp;gouser=50105E5C440

Notice the & gets converted to &

I have tried contless solution to similar problems but nothing seems to redirect the user to an uncoded URL. The part that get's me is that when I print() the redirect URL it actually shows the right one!

The reason I redirect to a page first is that this form is an iframe and otherwise the Parent page does not get redirected.

views.py

def iframe1(request):
ip = get_real_ip(request)
created = timezone.now()

if request.method == 'POST':
    form = LeadCaptureForm1(request.POST)
    if form.is_valid():

        # Save lead
        lead = form.save(commit=False)
        lead.created = created
        lead.birth_date = form.cleaned_data.get('birth_date')
        lead.ipaddress = get_real_ip(request)
        lead.joinmethod = "Iframe1"

        lead.save()

        # API POST and save return message
        payload = {
            ...
        }


        r = requests.post(url, payload)
        print(r.status_code)
        print(r.content)

        api_status1 = r.content.decode("utf-8").split('|')[0]
        api_command1 = r.content.decode("utf-8").split('|')[1]

        print(api_status1)
        print(api_command1)


        #backup_link = "https://govice.online/click?offer_id=192&affiliate_id=7&sub_id1=API_Backup-Link"
        backup_link = "http://viceoffers.com"

        lead.xmeets = r.content
        lead.save()


        # Redirect lead to Success URL
        if "http" in api_command1:
            return TemplateResponse(request, 'leadwrench/redirect_template.html', {'redirect_url': api_command1, 'api_status1': api_status1})
        else:
            return TemplateResponse(request, 'leadwrench/redirect_template.html', {'redirect_url': backup_link})

redirect_template.html

<html>
    <head>
        <meta http-equiv="refresh" content="5; url={{ redirect_url }}" />
        <script>
            window.top.location.href = '{{ redirect_url }}';
        </script>
    </head>
    <body>

        <p>api_status1: {{ redirect_url }}</p>
        <p>api_command1: {{ api_command1 }}</p>

    </body>
</html>

what python are you using? – N. Ivanov Apr 10 '18 at 13:43 — N. Ivanov, Apr 10 '18 at 13:43
Good question. I'm using 3.6.1 – Alex Winkler Apr 10 '18 at 13:49 — Alex Winkler, Apr 10 '18 at 13:49

score 3 · Accepted Answer · answered Apr 10 '18 at 13:52

3

By default, Django will do HTML escaping of template arguments, which (among other things) changes & to &. Use the safe template filter in your template to avoid that:

<html>
    <head>
        <meta http-equiv="refresh" content="5; url={{ redirect_url|safe }}" />
        <script>
            window.top.location.href = '{{ redirect_url|safe }}';
        </script>
    </head>
    <body>

        <p>api_status1: {{ redirect_url }}</p>
        <p>api_command1: {{ api_command1 }}</p>

    </body>
</html>

answered Apr 10 '18 at 13:52

Erik Cederstrand

9,643
8
39
63

2

Make sure that you trust `redirect_url` before you do this, otherwise you are vulnerable to XSS. – Alasdair Apr 10 '18 at 14:12
Holy Schnitzel it worked. I read almost everything I could about encoding and decoding but was barking up the wrong tree. Thanks Erik! – Alex Winkler Apr 10 '18 at 14:33

Redirecting User To Non Coded URL

1 Answers1