Merge pull request from GHSA-v98m-398x-269r

Co-authored-by: kjac <kja@umbraco.dk>

src/Umbraco.Web.UI.Client/src/views/common/login.controller.js

@@ -11,11 +11,12 @@ angular.module('umbraco').controller("Umbraco.LoginController", function (events
       //check if there's a returnPath query string, if so redirect to it
         var locationObj = $location.search();
         if (locationObj.returnPath) {
-            // decodeURIComponent(...) does not play nice with OAuth redirect URLs, so until we have a
-            // dedicated login screen for the new back-office, we need to hardcode this exception
-            path = locationObj.returnPath.indexOf("/security/back-office/authorize") > 0
-              ? locationObj.returnPath
-              : decodeURIComponent(locationObj.returnPath);
+            // ensure that the returnPath is a valid URL under the current origin (prevents DOM-XSS among other things)
+            const returnPath = decodeURIComponent(locationObj.returnPath);
+            const url = new URL(returnPath, window.location.origin);
+            if (url.origin === window.location.origin) {
+                path = returnPath;
+            }
         }
 
         // Ensure path is not absolute