From 6bbe230fe8a25844cebe9997a5acf4645033f9b5 Mon Sep 17 00:00:00 2001
From: Hoang Nguyen <50922013+catmandx@users.noreply.github.com>
Date: Fri, 23 Jun 2023 14:42:39 +0700
Subject: [PATCH] [Vulnerability] Cross site scripting (XSS) and Open Redirect
 on the login page (#396)

---
 templates/login.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/login.html b/templates/login.html
index bc5ace4..c0a96b9 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -84,7 +84,7 @@
     function redirectNext() {
         const urlParams = new URLSearchParams(window.location.search);
         const nextURL = urlParams.get('next');
-        if (nextURL) {
+        if (nextURL && /(?:^\/[a-zA-Z_])|(?:^\/$)/.test(nextURL.trim())) {
             window.location.href = nextURL;
         } else {
             window.location.href = '/{{.basePath}}';