From 3720b5d9300bd2a7bb02a87e043ddf6d0746ec07 Mon Sep 17 00:00:00 2001
From: Nikolaj Geisle <70372949+Zeegaan@users.noreply.github.com>
Date: Mon, 11 Dec 2023 14:00:23 +0100
Subject: [PATCH] Merge pull request from GHSA-v98m-398x-269r

Co-authored-by: kjac <kja@umbraco.dk>
---
 .../src/views/common/login.controller.js              | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/Umbraco.Web.UI.Client/src/views/common/login.controller.js b/src/Umbraco.Web.UI.Client/src/views/common/login.controller.js
index 13ca4cb193..ec039dfdd7 100644
--- a/src/Umbraco.Web.UI.Client/src/views/common/login.controller.js
+++ b/src/Umbraco.Web.UI.Client/src/views/common/login.controller.js
@@ -11,11 +11,12 @@ angular.module('umbraco').controller("Umbraco.LoginController", function (events
       //check if there's a returnPath query string, if so redirect to it
         var locationObj = $location.search();
         if (locationObj.returnPath) {
-            // decodeURIComponent(...) does not play nice with OAuth redirect URLs, so until we have a
-            // dedicated login screen for the new back-office, we need to hardcode this exception
-            path = locationObj.returnPath.indexOf("/security/back-office/authorize") > 0
-              ? locationObj.returnPath
-              : decodeURIComponent(locationObj.returnPath);
+            // ensure that the returnPath is a valid URL under the current origin (prevents DOM-XSS among other things)
+            const returnPath = decodeURIComponent(locationObj.returnPath);
+            const url = new URL(returnPath, window.location.origin);
+            if (url.origin === window.location.origin) {
+                path = returnPath;
+            }
         }
 
         // Ensure path is not absolute