From 33d390a612daaef37f2853dbfd1c1711e233ce49 Mon Sep 17 00:00:00 2001
From: James Collins <james.collins@outlook.com.au>
Date: Thu, 15 Jan 2026 08:01:05 +1000
Subject: [PATCH] fix open redirect

---
 public/script.js | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/public/script.js b/public/script.js
index 9e2964e..4100f0a 100644
--- a/public/script.js
+++ b/public/script.js
@@ -1,4 +1,26 @@
 let SM = {
+    redirectIfSafe: (target) => {
+        if (typeof target !== 'string' || target === '') {
+            window.location.assign('/');
+            return;
+        }
+
+        let url;
+        try {
+            url = new URL(target, window.location.origin);
+        } catch (error) {
+            window.location.assign('/');
+            return;
+        }
+
+        if (url.origin !== window.location.origin) {
+            window.location.assign('/');
+            return;
+        }
+
+        window.location.assign(url.href);
+    },
+
     alert: (title, text, type = 'info') =>{
         const data = {
             position: 'top-end',
@@ -84,7 +106,7 @@ let SM = {
                 axios.delete(url)
                 .then((response) => {
                     if(response.data.success){
-                        window.location.href = response.data.redirect;
+                        SM.redirectIfSafe(response.data.redirect);
                     }
                 })
                 .catch(() => {