Fix: Security fix

src/automations/flow.py

@@ -296,6 +296,7 @@ def leave(self, task):
         task.finished = now()
         task.locked = 0
         task.save()
+        return None  # Stops execution
 
 
 class Repeat(Node):

src/automations/views.py

@@ -2,6 +2,7 @@
 
 # Create your views here.
 import datetime
+import urllib.parse
 
 from django.contrib.auth.mixins import (
     LoginRequiredMixin,
@@ -79,7 +80,13 @@ def form_valid(self, form):
         if getattr(self.node, "_success_url", None):
             return redirect(self.node._success_url)
         elif "back" in self.request.GET:
-            return redirect(self.request.GET.get("back"))
+            url = urllib.parse.urlparse(
+                self.request.GET.get("back")
+            )  # prevent redirect
+            this_site = urllib.parse.urlunparse(
+                ("", "", url.path, url.params, url.query, url.fragment)
+            )
+            return redirect(this_site)
         return super().form_valid(form)
 
     def get_success_url(self):