From 2ce4d9fa6155c98bc2863f778e40aa0d5e40552c Mon Sep 17 00:00:00 2001
From: bwees <brandonwees@gmail.com>
Date: Sat, 30 May 2026 13:50:54 -0500
Subject: [PATCH] fix: disallow cross origin/non http protocols for continueUrl
 on login

---
 web/src/routes/auth/login/+page.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/web/src/routes/auth/login/+page.ts b/web/src/routes/auth/login/+page.ts
index 03a053fcd5..1cb8d79d70 100644
--- a/web/src/routes/auth/login/+page.ts
+++ b/web/src/routes/auth/login/+page.ts
@@ -8,7 +8,13 @@ import type { PageLoad } from './$types';
 export const load = (async ({ parent, url }) => {
   await parent();
 
-  const continueUrl = url.searchParams.get('continue') || Route.photos();
+  let continueUrl = url.searchParams.get('continue');
+
+  // require same origin continue URL
+  if (!continueUrl || !continueUrl.startsWith('/') || continueUrl.startsWith('//')) {
+    continueUrl = Route.photos();
+  }
+
   if (authManager.authenticated) {
     redirect(307, continueUrl);
   }