We apologize for the instability of composr.app and appreciate your patience. We are working on the statistics addon and trying to find an optimal way to store and render data. Unfortunately, we have yet to find a solution that can handle the traffic (and therefore, tens of millions of statistical records) of composr.app. We're working hard on one.
#5770 - Forms specifying a redirect in the action are blocked by CSP
protect_url_parameter is supposed to be used. Also modify the function comment for protect_url_parameter, _protect_url_parameter, and comment in global2.php against INPUT_FILTER_MODSECURITY_URL_PARAMETER, to also mention browser reflected-XSS filtering.
I added several missing protect_url_parameter but I cannot consider this issue resolved because top_login was not one of them from which this issue originates.
top_login gets login URL (+ redirect) from global3.php get_login_url but this is already using protect_url_parameter. So there is another bug somewhere.
top_login gets login URL (+ redirect) from global3.php get_login_url but this is already using protect_url_parameter. So there is another bug somewhere.