From a01adc58464d278ca817c4bbb6cbce30f155d0d1 Mon Sep 17 00:00:00 2001 From: enisn Date: Thu, 30 Oct 2025 10:22:53 +0300 Subject: [PATCH 1/2] Use safe redirect after registration Replaces direct Redirect with RedirectSafelyAsync after user registration to enhance security when handling return URLs. --- .../src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs b/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs index c481715a16..c61e31426a 100644 --- a/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs +++ b/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs @@ -137,7 +137,7 @@ public class RegisterModel : AccountPageModel await RegisterLocalUserAsync(); } - return Redirect(ReturnUrl ?? "~/"); //TODO: How to ensure safety? IdentityServer requires it however it should be checked somehow! + return await RedirectSafelyAsync(ReturnUrl ?? "~/"); } catch (BusinessException e) { From 44a2dc14e933f3ce1ca93f9313d836694ab77d1d Mon Sep 17 00:00:00 2001 From: enisn Date: Thu, 30 Oct 2025 10:35:28 +0300 Subject: [PATCH 2/2] Update Register.cshtml.cs --- .../src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs b/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs index c61e31426a..6b990253fc 100644 --- a/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs +++ b/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Register.cshtml.cs @@ -137,7 +137,7 @@ public class RegisterModel : AccountPageModel await RegisterLocalUserAsync(); } - return await RedirectSafelyAsync(ReturnUrl ?? "~/"); + return await RedirectSafelyAsync(ReturnUrl, ReturnUrlHash); } catch (BusinessException e) {