Copy as explicit post field since get parameters are stripped since commit
v3.5-30-g1a94d9191a (2018-08-11) [strip logout parameter on form post].
Reported-by: Ben van Vianen
<h2>Inloggen</h2>
<form action="?" method="post">
+ <input type="hidden" name="goto" value="<?php print htmlspecialchars(@$_REQUEST['goto']); ?>" />
<input id="login" name="login" placeholder="Gebruikersnaam" value="<?php
if (isset($_POST['login'])) print htmlspecialchars($_POST['login']);
?>" />
return TRUE;
}
-if (isset($_GET['goto'])) {
+if (isset($_REQUEST['goto'])) {
ob_clean();
- $target = ltrim($_GET['goto'], '/');
+ $target = ltrim($_REQUEST['goto'], '/');
header("Location: /$target");
http_response_code(302);
exit;