In Transitions the external links go through the proxy url. The proxy URL was changed to now accept any link when user has any view access. This poses the problem of open redirect on piwik servers with anonymous access open.
Therefore we should:
Later as a follow up, we should also convert all external links to the proxy smarty function, so that the referrer is not leaked on all external links from a piwik server.
Shouldn't that small change fix the main part of this issue? (see attached patch)
Oh!! that's a very good find, which I think will fix the problem indeed!
SteveG can you please apply patch after double checking things work as expected but I think it will
(In ) refs #3460 fixes XSS within proxy module; allow redirect only if user was referred from within current piwik instance
Thanks Stefan it looks good to me