From d6f5137f30de6e0ef7048191ee6ae575fdc2f669 Mon Sep 17 00:00:00 2001
From: Andrew Dodson <andrew@5app.com>
Date: Tue, 6 Oct 2020 12:20:56 +0100
Subject: [PATCH] fix(xss): oauth_redirect should be a valid url

---
 src/hello.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/hello.js b/src/hello.js
index e2c57a73..e8618d17 100644
--- a/src/hello.js
+++ b/src/hello.js
@@ -1388,8 +1388,12 @@ hello.utils.extend(hello.utils, {
 		// (URI Fragments within 302 Location URI are lost over HTTPS)
 		// Loading the redirect.html before triggering the OAuth Flow seems to fix it.
 		else if ('oauth_redirect' in p) {
+			var url = decodeURIComponent(p.oauth_redirect);
+
+			if (isValidUrl(url)) {
+				location.assign(url);
+			}
 
-			location.assign(decodeURIComponent(p.oauth_redirect));
 			return;
 		}