To allow user to be redirected to previous or specific page after login, django has default native parameter NEXT for that. When I want to implement it, this is the way:

login.html template:

<form method="get" action="{% url 'django_auth_adfs:login' %}">{% csrf_token %}
  <input type="hidden" name="next" value="{{ next }}">
  <button type="submit" class="btn btn-info"><i class="fa-brands fa-windows"></i> Log in with ADFS</button>
</form>

It works fine but OWASP scanner flags it as XSLT injection medium priority warning.

What I did then:

1. Changed form method GET to POST:

<form method="post" action="{% url 'django_auth_adfs:login' %}">{% csrf_token %}
  <input type="hidden" name="next" value="{{ next }}">
  <button type="submit" class="btn btn-info"><i class="fa-brands fa-windows"></i> Log in with ADFS</button>
</form>

2. Added post view:

class OAuth2LoginView(View):
    def get(self, request):
        return redirect(provider_config.build_authorization_endpoint(request))

    def post(self, request):
        return redirect(provider_config.build_authorization_endpoint(request))

3. Added the NEXT url from POST in config:

    def build_authorization_endpoint(self, request, disable_sso=None, force_mfa=False):
        self.load_config()
        redirect_to = request.POST.get(REDIRECT_FIELD_NAME, None)
        if not redirect_to:
            redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
        if not redirect_to:
            redirect_to = django_settings.LOGIN_REDIRECT_URL
	...

Now, POST support is added but OWASP still detects it as XSLT injection. When I removed/disallowed the method get() in OAuth2LoginView, OWASP doesn't detect it anymore.

My question is if you can add even the POST support in login to this library. 🙂

Thanks.