From a272294fc01849549e0ced79d917ac345214ab0c Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Mon, 15 Dec 2025 18:27:47 +0200
Subject: [PATCH] Encodes correctly the login regirect URL parameters

---
 app/pages/login.php          | 2 +-
 app/templates/form-login.php | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/pages/login.php b/app/pages/login.php
index fdf9206..b582ebb 100644
--- a/app/pages/login.php
+++ b/app/pages/login.php
@@ -300,6 +300,6 @@ function handleSuccessfulLogin($userId, $username, $rememberMe, $config, $app_ro
     ) {
         $redirect = $candidate;
     }
-    header('Location: ' . htmlspecialchars($redirect));
+    header('Location: ' . $redirect);
     exit();
 }
diff --git a/app/templates/form-login.php b/app/templates/form-login.php
index 7ff3ea3..83a3a2c 100644
--- a/app/templates/form-login.php
+++ b/app/templates/form-login.php
@@ -43,8 +43,10 @@
                             <i class="fas fa-sign-in-alt me-2"></i>Sign in
                         </button>
                     </div>
-<?php if (isset($_GET['redirect'])): ?>
-                    <input type="hidden" name="redirect" value="<?php echo htmlspecialchars($_GET['redirect']); ?>">
+<?php if (isset($_GET['redirect'])):
+    $loginRawRedirect = $_GET['redirect'];
+?>
+                    <input type="hidden" name="redirect" value="<?= htmlspecialchars($loginRawRedirect, ENT_QUOTES, 'UTF-8'); ?>">
 <?php endif; ?>
                 </form>
             </div>