Merge pull request #12569 from abpframework/maliming/ReturnUrl

Check the `ReturnUrl` on `Manage` page.

framework/src/Volo.Abp.UI.Navigation/Volo/Abp/Ui/Navigation/Urls/AppUrlProvider.cs

@@ -45,7 +45,7 @@ public class AppUrlProvider : IAppUrlProvider, ITransientDependency
 
     public bool IsRedirectAllowedUrl(string url)
     {
-        var allow = Options.RedirectAllowedUrls.Any(url.StartsWith);
+        var allow = Options.RedirectAllowedUrls.Any(x => url.StartsWith(x, StringComparison.CurrentCultureIgnoreCase));
         if (!allow)
         {
             Logger.LogError($"Invalid RedirectUrl: {url}, Use {nameof(AppUrlProvider)} to configure it!");

modules/account/src/Volo.Abp.Account.Web/Pages/Account/Manage.cshtml.cs

@@ -1,5 +1,7 @@
-using System.ComponentModel.DataAnnotations;
+using System;
+using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http.Extensions;
 using Volo.Abp.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Options;
@@ -32,6 +34,13 @@ public class ManageModel : AccountPageModel
             await contributor.ConfigureAsync(ProfileManagementPageCreationContext);
         }
 
+        if (!Url.IsLocalUrl(ReturnUrl) &&
+            !ReturnUrl.StartsWith(UriHelper.BuildAbsolute(Request.Scheme, Request.Host, Request.PathBase).RemovePostFix("/")) &&
+            !AppUrlProvider.IsRedirectAllowedUrl(ReturnUrl))
+        {
+            ReturnUrl = null;
+        }
+
         return Page();
     }