Merge pull request #39 from docusign/DEVDOCS-16961

Devdocs 16961

Author: karissarjacobsen

DocuSign.MyAPI/ClientApp/src/app/core/errorhandler.inteceptor.ts

@@ -42,8 +42,13 @@ export class ErrorHanlderInterceptor implements HttpInterceptor {
               let snackBarRef = this.notificationService.showInfo(res);
 
               snackBarRef.afterDismissed().subscribe(() => {
+                let returnUrl = this.router.url;
+                // Only allow relative paths
+                if (!returnUrl.startsWith('/')) {
+                  returnUrl = '/';
+                }
                 window.location.href =
-                  '/account/login?returnUrl=' + this.router.url;
+                  '/account/login?returnUrl=' + returnUrl;
               });
             });
           }

DocuSign.MyAPI/ClientApp/src/app/header/header.component.ts

@@ -19,7 +19,13 @@ export class AppHeaderComponent implements OnInit {
   ngOnInit(): void {
     this.router.events.subscribe((event) => {
       if (event instanceof NavigationEnd) {
-        this.url = this.router.url;
+        let currentUrl = this.router.url;
+        // Only allow relative paths
+        if (currentUrl.startsWith('/')) {
+          this.url = currentUrl;
+        } else {
+          this.url = '/';
+        }
       }
     });
   }

DocuSign.MyAPI/Controllers/AccountController.cs

@@ -27,6 +27,11 @@ public async Task<ActionResult<String>> GetAccountId()
         [Route("login")]
         public IActionResult Login(string returnUrl = "/")
         {
+            if (string.IsNullOrEmpty(returnUrl) || !Url.IsLocalUrl(returnUrl))
+            {
+                returnUrl = "/";
+            }
+            
             return Challenge(new AuthenticationProperties() { RedirectUri = returnUrl, AllowRefresh = true });
         }