catch (\InvalidArgumentException
$e) { } } // Regardless of whether the target is the original one or the overridden
// destination, ensure that all redirects are safe.
if (!
($response instanceof SecuredRedirectResponse
)) { try { // SecuredRedirectResponse is an abstract class that requires a
// concrete implementation. Default to LocalRedirectResponse, which
// considers only redirects to within the same site as safe.
$safe_response = LocalRedirectResponse::
createFromRedirectResponse($response);
$safe_response->
setRequestContext($this->requestContext
);
} catch (\InvalidArgumentException
$e) { // If the above failed, it's because the redirect target wasn't
// local. Do not follow that redirect. Display an error message
// instead. We're already catching one exception, so trigger_error()
// rather than throw another one.
// We don't throw an exception, because this is a client error rather than a
// server error.
$message = 'Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it.';
trigger_error($message, E_USER_ERROR
);