*SECURITY* added prevention of the “Open Redirect” attack from auth page returnUrl (!1918) · Merge requests · unitybase / ubjs · GitLab

Pavlo Mashliakovskiy requested to merge fix/returnUrlOpenRedirect into master Dec 07, 2024

SECURITY added prevention of the “Open Redirect” attack by checking the returnUrl URL parameter of the authorization page match server origin
added cleanup of location.hash on startup
Authentication page now redirect to the main page using window.location.replace, so "Back" browsed button pressed from adminUI now returns back (to blank page or previously visited page), instead of UB Authentication page