verify redirects are safe before redirecting

2025-08-30 22:49:27 +02:00 · 2025-01-09 23:21:57 -05:00 · 2025-01-09 23:21:57 -05:00 · 6c813186b8
commit 6c813186b8
parent a556339b76
18 changed files with 99 additions and 45 deletions
--- a/src/app/auth/verify-email/VerifyEmailForm.tsx
+++ b/src/app/auth/verify-email/VerifyEmailForm.tsx
@ -36,6 +36,7 @@ import { useRouter } from "next/navigation";
 import { formatAxiosError } from "@app/lib/api";;
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
+import { cleanRedirect } from "@app/lib/cleanRedirect";

 const FormSchema = z.object({
    email: z.string().email({ message: "Invalid email address" }),
@ -91,11 +92,9 @@ export default function VerifyEmailForm({
                "Email successfully verified! Redirecting you..."
            );
            setTimeout(() => {
-                if (redirect && redirect.includes("http")) {
-                    window.location.href = redirect;
-                }
                if (redirect) {
-                    router.push(redirect);
+                    const safe = cleanRedirect(redirect);
+                    router.push(safe);
                } else {
                    router.push("/");
                }