Avoid setting window.location directly to avoid exploit of cross site scripting. Thanks to Lokesh (@lokesh1095) for the report and solution. Closes GitLab issue #494.

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>

HISTORY.rst

@@ -36,6 +36,9 @@
   links' icons.
 - Documents app: Hide the title link of documents in the trash.
 - Workflow app: Define a redirection after workflow actions are edited.
+- Appearance app: avoid setting window.location directly to avoid exploit
+  of cross site scripting. Thanks to Lokesh (@lokesh1095) for the report
+  and solution. Closes GitLab issue #494.
 
 3.0.1 (2018-07-08)
 =================

mayan/apps/appearance/templates/appearance/base_plain.html

@@ -34,7 +34,7 @@
                 // template.
                 var currentHash = window.location.hash;
                 if (currentHash.length) {
-                    window.location = currentHash.substring(1);
+                    window.location.pathname = currentHash.substring(1);
                 }
 
                 function waitForJQuery(func) {