From 2fc15eab29e841555c156bb32809d09d6fdcb264 Mon Sep 17 00:00:00 2001
From: Harry Bomrah <harry@rulingcom.com>
Date: Tue, 26 May 2015 16:02:16 +0800
Subject: [PATCH] xss issue fixed

---
 app/views/orbit_bar/index.html.erb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/views/orbit_bar/index.html.erb b/app/views/orbit_bar/index.html.erb
index 228b9b2..8e2ff26 100644
--- a/app/views/orbit_bar/index.html.erb
+++ b/app/views/orbit_bar/index.html.erb
@@ -15,7 +15,6 @@
         </div>
         <div class="login-body">
           <%= form_tag "/sessions?locale=#{locale.to_s}", method: "post", :class => "container" do |f| %>
-            <input type="hidden" name="referer_url" value="<%= request.original_url %>">
             <div class="prepend">
               <span class="add"><i class="icon-user"></i></span>
               <input class="input" id="user_user_id" name="user_name" placeholder="<%= t("users.user_id") %>" size="30" type="text">
@@ -182,4 +181,8 @@
       $("#user_user_id").focus();
     }
   })
+  $(".login-body form").on("submit",function(){
+    $(this).append("<input type='hidden' name='referer_url' value='<%= request.original_url %>'/>");
+  })
+
   </script>