Open redirect bug crashes the app #577
Description
Package version (if known): 1.0.0-alpha.75 (latest at present time)
Describe the bug
The app attempts to push a URL with a different origin to the history, which is illegal (luckily in this case), and thus crashes the app.
Steps to Reproduce
- Navigate to
https://catalogue.library.cern/login?next=/%09/example.com(the login page, but with a special payload in the query parameters) - Sign in
- After the redirection the browser shows a blank page. Devtools logged the following error:
DOMException: Failed to execute 'pushState' on 'History': A history state object with URL 'https://example.com/' cannot be created in a document with origin 'https://catalogue.library.cern' and URL 'https://catalogue.library.cern/login?message=Successfully+authorized.&code=200&next_url=%2F%2509%2Fexample.com'.
Expected behavior
The app should not crash nor attempt to redirect to a different origin, regardless the provided redirection parameter.
Additional context
Notice how //example.com or https%3A//example.com don't work, but /%09/example.com does. %09 stands for encoded tabulation.