combine ret_url and came_from

[xi]

After submitting or canceling a form the url one is sent to is relatively hard coded. Attempts to change that locally resulted in came_from, ret_url and cancel_url. We should combine these attempts and use some better input validation on them.

Here is a short description of what I did:

in controller edit():

if ('ret_url' in request.params and
        len(request.params['ret_url']) >= 2 and
        request.params['ret_url'][0] == '/' and
        request.params['ret_url'][1] != '/'):
    c.ret_url = request.params['ret_url']
else:
    c.ret_url = h.entity_url(<opject>)

in template:

<input type="hidden" name="ret_url" value="${c.ret_url}" />

${components.savebox(c.ret_url)}

in controller update():

if 'ret_url' in request.params:
    redirect(request.params.get('ret_url'))
else:
    redirect(h.entity_url(<object>))