Potential fix for code scanning alert no. 316: URL redirection from remote source (#640)

KrzysztofPajak · github-advanced-security[bot] · web-flow · commit 0b6726ddfe31 · 2026-01-09T17:34:50.000+01:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/Web/Grand.Web/Controllers/CommonController.cs b/src/Web/Grand.Web/Controllers/CommonController.cs
@@ -266,10 +266,11 @@ public virtual async Task<IActionResult> SetStore(
             }
 
         //prevent open redirection attack
-        if (!Url.IsLocalUrl(returnUrl))
-            returnUrl = Url.RouteUrl("HomePage");
+        var redirectUrl = Url.RouteUrl("HomePage");
+        if (Url.IsLocalUrl(returnUrl))
+            redirectUrl = returnUrl;
 
-        return Redirect(returnUrl);
+        return Redirect(redirectUrl);
 
         void SetStoreCookie(Domain.Stores.Store store)
         {

Original file line number	Diff line number	Diff line change
`@@ -266,10 +266,11 @@ public virtual async Task<IActionResult> SetStore(`
`266`	`266`	`}`
`267`	`267`
`268`	`268`	`//prevent open redirection attack`
`269`		`- if (!Url.IsLocalUrl(returnUrl))`
`270`		`- returnUrl = Url.RouteUrl("HomePage");`
	`269`	`+ var redirectUrl = Url.RouteUrl("HomePage");`
	`270`	`+ if (Url.IsLocalUrl(returnUrl))`
	`271`	`+ redirectUrl = returnUrl;`
`271`	`272`
`272`		`- return Redirect(returnUrl);`
	`273`	`+ return Redirect(redirectUrl);`
`273`	`274`
`274`	`275`	`void SetStoreCookie(Domain.Stores.Store store)`
`275`	`276`	`{`