Package version (if known): 1.0.0-alpha.75 (latest at present time)
Describe the bug
The app attempts to push a URL with a different origin to the history, which is illegal (luckily in this case), and thus crashes the app.
Steps to Reproduce
Navigate to https://catalogue.library.cern/login?next=/%09/example.com (the login page, but with a special payload in the query parameters)
Sign in
After the redirection the browser shows a blank page. Devtools logged the following error:
DOMException: Failed to execute 'pushState' on 'History': A history state object with URL 'https://example.com/' cannot be created in a document with origin 'https://catalogue.library.cern' and URL 'https://catalogue.library.cern/login?message=Successfully+authorized.&code=200&next_url=%2F%2509%2Fexample.com'.
Expected behavior
The app should not crash nor attempt to redirect to a different origin, regardless the provided redirection parameter.
Additional context
Notice how //example.com or https%3A//example.com don't work, but /%09/example.com does. %09 stands for encoded tabulation.
Package version (if known):
1.0.0-alpha.75
(latest at present time)Describe the bug
The app attempts to push a URL with a different origin to the history, which is illegal (luckily in this case), and thus crashes the app.
Steps to Reproduce
https://catalogue.library.cern/login?next=/%09/example.com
(the login page, but with a special payload in the query parameters)Expected behavior
The app should not crash nor attempt to redirect to a different origin, regardless the provided redirection parameter.
Additional context
Notice how
//example.com
orhttps%3A//example.com
don't work, but/%09/example.com
does.%09
stands for encoded tabulation.