Fixes GHSA-jhjj-2g64-px7c
This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the javascript: scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button.
This has been fixed by disallowing any URLs without the scheme http or https.
Additionally, the "Try again" button has been fixed to completely ignore the user-supplied redirect location. It now redirects to the home page (/).
Notes
An incomplete version of this fix was tagged at v1.21.2 and then the release process was aborted upon final testing. Do not package or use v1.21.2.
What's Changed
- fix(lib): add comprehensive XSS protection logic by @Xe in #905
- fix(web): make the try again button always go back to / by @Xe in #907
Full Changelog: v1.21.2...v1.21.3