Write integration test for ensuring that logins can't redirect to unsafe urls

[alexander-bauer]

No description provided.

[alexander-bauer]

A common exploit is sending users to legitimate login forms, and then redirect from them to a malicious site. We need to ensure that our is_safe_url() function in collegejump/forms.py correctly refuses to redirect to URLs that are not the same as our site.

[ichniow1]

need an example of context for a call to is_safe_url(target), just get errors any time I try to invoke it from inside of test

[alexander-bauer]

@ichniow1 You probably can't call the function directly with the context that's available from the test app, which is a problem if we want to write unit tests. I think it's too late in the game for those to be worthwhile, so I'm advocating integration tests. Rather than testing is_safe_url send a valid login to /login with your redirectto information set to some other domain, like https://google.com. If is_safe_url works, it will not redirect you there, but instead send you back to the front page of the app.

[ichniow1]

yeah... yet to make any real progress here.