From 3c7633564fead1695549ef8e7c28d0867b907dbd Mon Sep 17 00:00:00 2001
From: sbwalker <shaun.walker@siliqon.com>
Date: Tue, 12 Dec 2023 15:54:52 -0500
Subject: [PATCH] security improvement - ensure returnurl is a relativre path

---
 Oqtane.Client/UI/SiteRouter.razor | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Oqtane.Client/UI/SiteRouter.razor b/Oqtane.Client/UI/SiteRouter.razor
index 8035841e..fd1be041 100644
--- a/Oqtane.Client/UI/SiteRouter.razor
+++ b/Oqtane.Client/UI/SiteRouter.razor
@@ -105,11 +105,18 @@
         Route route = new Route(_absoluteUri, SiteState.Alias.Path);
         int moduleid = (int.TryParse(route.ModuleId, out moduleid)) ? moduleid : -1;
         var action = (!string.IsNullOrEmpty(route.Action)) ? route.Action : Constants.DefaultAction; 
+
         var querystring = Utilities.ParseQueryString(route.Query);
         var returnurl = "";
         if (querystring.ContainsKey("returnurl"))
         {
             returnurl = WebUtility.UrlDecode(querystring["returnurl"]);
+            if (!returnurl.StartsWith("/"))
+            {
+                // urls which are not relative are vulnerable to open redirects or XSS
+                returnurl = "";
+                querystring["returnurl"] = "";
+            }
         }
 
         // reload the client application from the server if there is a forced reload