Remove "referer" from js_config.

Removes XSS reported by jomkr where referer contains "</script>" in IE.
2026-04-05 03:00:15 -04:00 · 2012-08-22 16:10:32 -07:00
parent ab306a0423
commit 8929e17f88
2 changed files with 1 additions and 3 deletions
--- a/r2/r2/lib/template_helpers.py
+++ b/r2/r2/lib/template_helpers.py
@@ -120,8 +120,6 @@ def js_config():
        "post_site": c.site.name if not c.default_sr else "",
        # are we in an iframe?
        "cnameframe": bool(c.cname and not c.authorized_cname),
-        # this page's referer
-        "referer": _force_unicode(request.referer) or "",
        # the user's voting hash
        "modhash": c.modhash or False,
        # the current rendering style
--- a/r2/r2/public/static/js/reddit.js
+++ b/r2/r2/public/static/js/reddit.js
@@ -384,7 +384,7 @@ function unsubscribe(reddit_name) {
 function friend(user_name, container_name, type) {
    return function() {
        if (reddit.logged) {
-            encoded = encodeURIComponent(reddit.referer);
+            encoded = encodeURIComponent(document.referrer);
            $.request("friend?note=" + encoded,
                      {name: user_name, container: container_name, type: type});
        }