From 9ebe80595afe4fdd1e2c74358d6a9421f4ce130e Mon Sep 17 00:00:00 2001
From: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
Date: Thu, 16 Aug 2018 18:46:10 -0400
Subject: [PATCH] Avoid setting window.location directly to avoid exploit of
 cross site scripting. Thanks to Lokesh (@lokesh1095) for the report and
 solution. Closes GitLab issue #494.

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
---
 HISTORY.rst                                                | 3 +++
 mayan/apps/appearance/templates/appearance/base_plain.html | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/HISTORY.rst b/HISTORY.rst
index c882ceae3b..4d4e14628e 100644
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -36,6 +36,9 @@
   links' icons.
 - Documents app: Hide the title link of documents in the trash.
 - Workflow app: Define a redirection after workflow actions are edited.
+- Appearance app: avoid setting window.location directly to avoid exploit
+  of cross site scripting. Thanks to Lokesh (@lokesh1095) for the report
+  and solution. Closes GitLab issue #494.
 
 3.0.1 (2018-07-08)
 =================
diff --git a/mayan/apps/appearance/templates/appearance/base_plain.html b/mayan/apps/appearance/templates/appearance/base_plain.html
index b797b15a4e..f6f1da6e70 100644
--- a/mayan/apps/appearance/templates/appearance/base_plain.html
+++ b/mayan/apps/appearance/templates/appearance/base_plain.html
@@ -34,7 +34,7 @@
                 // template.
                 var currentHash = window.location.hash;
                 if (currentHash.length) {
-                    window.location = currentHash.substring(1);
+                    window.location.pathname = currentHash.substring(1);
                 }
 
                 function waitForJQuery(func) {