bug symfony#14593 [Security][Firewall] Avoid redirection to XHR URIs (asiragusa)

This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes symfony#14593).

Discussion
----------

[Security][Firewall] Avoid redirection to XHR URIs

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        |

If `security.firewalls.main.form_login.always_use_default_target_path` is false, an user could be redirected to an URL called by an AJAX request after the login.

Commits
-------

9ee74ea Avoid redirection to XHR URIs

Author: fabpot

src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php

@@ -194,7 +194,7 @@ private function startAuthentication(Request $request, AuthenticationException $
     protected function setTargetPath(Request $request)
     {
         // session isn't required when using HTTP basic authentication mechanism for example
-        if ($request->hasSession() && $request->isMethodSafe()) {
+        if ($request->hasSession() && $request->isMethodSafe() && !$request->isXmlHttpRequest()) {
             $request->getSession()->set('_security.'.$this->providerKey.'.target_path', $request->getUri());
         }
     }