fix(xss): oauth_redirect should be a valid url

MrSwitch · Oct 6, 2020 · d6f5137 · d6f5137
1 parent 3b79ec9
commit d6f5137
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/hello.js b/src/hello.js
@@ -1388,8 +1388,12 @@ hello.utils.extend(hello.utils, {
 		// (URI Fragments within 302 Location URI are lost over HTTPS)
 		// Loading the redirect.html before triggering the OAuth Flow seems to fix it.
 		else if ('oauth_redirect' in p) {
+			var url = decodeURIComponent(p.oauth_redirect);
+
+			if (isValidUrl(url)) {
+				location.assign(url);
+			}
 
-			location.assign(decodeURIComponent(p.oauth_redirect));
 			return;
 		}