From d44fb337e2283d1233f64aca6c606423435fa76b Mon Sep 17 00:00:00 2001
From: "Claw (KI-Assistent)" <mki@kies-media.de>
Date: Thu, 21 May 2026 23:06:19 +0000
Subject: [PATCH] fix(security): replace REQUEST_URI with fixed path in
 redirects (#43)

- Replace all 3 occurrences of $_SERVER['REQUEST_URI'] with '/'
- Prevents potential open redirect via client-controlled REQUEST_URI
- Safe since contact form only exists on homepage

Fix #43
---
 app/controllers/HomeController.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/controllers/HomeController.php b/app/controllers/HomeController.php
index 0d7b51a..fc58fe2 100644
--- a/app/controllers/HomeController.php
+++ b/app/controllers/HomeController.php
@@ -51,7 +51,7 @@ class HomeController extends Controller
 
             $honeypot = $normalizeContactValue((string) ($_POST['website'] ?? ''));
             if ($honeypot !== '') {
-                header('Location: ' . $_SERVER['REQUEST_URI'] . '#form-result');
+                header('Location: /#form-result');
                 $_SESSION['form_success'] = true;
                 exit;
             } else {
@@ -102,7 +102,7 @@ class HomeController extends Controller
 
                     if ($mailSent) {
                         $_SESSION['last_contact_submit'] = time();
-                        header('Location: ' . $_SERVER['REQUEST_URI'] . '#form-result');
+                        header('Location: /#form-result');
                         $_SESSION['form_success'] = true;
                         exit;
                     } else {
@@ -111,7 +111,7 @@ class HomeController extends Controller
                 }
             }
             if (!empty($formErrors)) {
-                header('Location: ' . $_SERVER['REQUEST_URI'] . '#form-result');
+                header('Location: /#form-result');
                 $_SESSION['form_errors'] = $formErrors;
                 $_SESSION['form_data'] = $formData;
                 exit;