From 8e31d8434014a6d1e8791a489d84268fd74b0c9a Mon Sep 17 00:00:00 2001
From: Carlos Garcia Gomez <neorazorx@gmail.com>
Date: Tue, 10 May 2022 00:12:41 +0200
Subject: [PATCH] =?UTF-8?q?We=20check=20the=20url=20parameter=20of=20the?=
 =?UTF-8?q?=20link=20to=20ensure=20that=20it=20is=20a=20valid=20controller?=
 =?UTF-8?q?.=20------=20Comprobamos=20el=20par=C3=A1metro=20url=20del=20en?=
 =?UTF-8?q?lace=20para=20asegurar=20que=20sea=20un=20controlador=20v=C3=A1?=
 =?UTF-8?q?lido.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Core/Controller/EditPageOption.php | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/Core/Controller/EditPageOption.php b/Core/Controller/EditPageOption.php
index a9b620f8d3..b8cb64a839 100644
--- a/Core/Controller/EditPageOption.php
+++ b/Core/Controller/EditPageOption.php
@@ -24,6 +24,7 @@
 use FacturaScripts\Core\Base\DataBase\DataBaseWhere;
 use FacturaScripts\Core\Lib\Widget\VisualItemLoadEngine;
 use FacturaScripts\Dinamic\Model\CodeModel;
+use FacturaScripts\Dinamic\Model\Page;
 use FacturaScripts\Dinamic\Model\PageOption;
 use FacturaScripts\Dinamic\Model\User;
 use Symfony\Component\HttpFoundation\Response;
@@ -121,7 +122,7 @@ public function privateCore(&$response, $user, $permissions)
         parent::privateCore($response, $user, $permissions);
         $this->model = new PageOption();
         $this->loadSelectedViewName();
-        $this->backPage = $this->request->get('url') ?: $this->selectedViewName;
+        $this->setBackPage();
         $this->selectedUser = $this->user->admin ? $this->request->get('nick') : $this->user->nick;
         $this->loadPageOptions();
 
@@ -275,6 +276,22 @@ private function loadPageOptionsForUser(): bool
         return true;
     }
 
+    private function setBackPage()
+    {
+        // check if the url is a real controller name
+        $url = $this->request->get('url', '');
+        $pageModel = new Page();
+        foreach ($pageModel->all([], [], 0, 0) as $page) {
+            if (substr($url, 0, strlen($page->name)) === $page->name) {
+                $this->backPage = $url;
+                return;
+            }
+        }
+
+        // set the default back page
+        $this->backPage = $this->selectedViewName;
+    }
+
     /**
      * @param array $column
      * @param string $name