ruff

Author: cunla

scheduler/views/queue_views.py

@@ -1,6 +1,7 @@
 import dataclasses
 from math import ceil
 from typing import Tuple, List, Dict, Union, Any
+from urllib.parse import urlparse
 
 from django.contrib import admin, messages
 from django.contrib.admin.views.decorators import staff_member_required
@@ -203,8 +204,11 @@ def queue_confirm_action(request: HttpRequest, queue_name: str) -> HttpResponse:
 
 def _check_next_url(request: HttpRequest, default_next_url: str) -> str:
     next_url = request.POST.get("next_url", default_next_url)
-    if not url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
+    next_url = next_url.replace('\\', '')
+    if not url_has_allowed_host_and_scheme(next_url, allowed_hosts=None) or urlparse(next_url).netloc or urlparse(
+            next_url).scheme:
         messages.warning(request, "Bad followup URL")
+        next_url = default_next_url
     try:
         resolve(next_url)
     except Exception: