Return URL to disallow external links

blogifierdotnet · Oct 25, 2021 · e0301d4 · e0301d4
1 parent b14e98e
commit e0301d4
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/src/Blogifier.Admin/Pages/Account/Login.razor.cs b/src/Blogifier.Admin/Pages/Account/Login.razor.cs
@@ -19,6 +19,9 @@ public async Task LoginUser()
             if (QueryHelpers.ParseQuery(uri.Query).TryGetValue("returnUrl", out var param))
                 returnUrl = param.First();
 
+			if(returnUrl.StartsWith("http"))
+				returnUrl = "admin/";
+
             var result = await Http.PostAsJsonAsync<LoginModel>("api/author/login", model);
 
 			if (result.IsSuccessStatusCode)

diff --git a/src/Blogifier/Controllers/HomeController.cs b/src/Blogifier/Controllers/HomeController.cs
@@ -63,7 +63,7 @@ public async Task<IActionResult> Index(string slug)
         [HttpGet("/admin")]
         public async Task<IActionResult> Admin()
         {
-            return File("~/index.html", "text/html");
+            return await Task.FromResult(File("~/index.html", "text/html"));
         }
 
         [HttpPost]