From e0301d4ef8099ab9cb2dc636c692aabf209dc767 Mon Sep 17 00:00:00 2001
From: rxtur <rtur.net@gmail.com>
Date: Sun, 24 Oct 2021 22:07:21 -0500
Subject: [PATCH] Return URL to disallow external links

---
 src/Blogifier.Admin/Pages/Account/Login.razor.cs | 3 +++
 src/Blogifier/Controllers/HomeController.cs      | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Blogifier.Admin/Pages/Account/Login.razor.cs b/src/Blogifier.Admin/Pages/Account/Login.razor.cs
index 97432af08..657e65761 100644
--- a/src/Blogifier.Admin/Pages/Account/Login.razor.cs
+++ b/src/Blogifier.Admin/Pages/Account/Login.razor.cs
@@ -19,6 +19,9 @@ public async Task LoginUser()
             if (QueryHelpers.ParseQuery(uri.Query).TryGetValue("returnUrl", out var param))
                 returnUrl = param.First();
 
+			if(returnUrl.StartsWith("http"))
+				returnUrl = "admin/";
+
             var result = await Http.PostAsJsonAsync<LoginModel>("api/author/login", model);
 
 			if (result.IsSuccessStatusCode)
diff --git a/src/Blogifier/Controllers/HomeController.cs b/src/Blogifier/Controllers/HomeController.cs
index 239863dcd..42cd41320 100644
--- a/src/Blogifier/Controllers/HomeController.cs
+++ b/src/Blogifier/Controllers/HomeController.cs
@@ -63,7 +63,7 @@ public async Task<IActionResult> Index(string slug)
         [HttpGet("/admin")]
         public async Task<IActionResult> Admin()
         {
-            return File("~/index.html", "text/html");
+            return await Task.FromResult(File("~/index.html", "text/html"));
         }
 
         [HttpPost]