Mentat

The issue is in the code for checking if URL is safe:

def _is_safe_url(target):
    """ 
    Check, if the URL is safe enough to be redirected to.
    """ 
    if '\n' in target or '\r' in target:
        return False

    ref_url = urllib.parse.urlparse(flask.request.host_url)
    test_url = urllib.parse.urlparse(urllib.parse.urljoin(flask.request.host_url, target))
    return test_url.scheme in ('http', 'https') and \
           ref_url.netloc == test_url.netloc

From the documentation of urllib:

Following the syntax specifications in RFC 1808, urlparse recognizes a netloc only if it is properly introduced by ‘//’. Otherwise the input is presumed to be a relative URL and thus to start with a path component.

The question still is why https:\\bxss.me is a valid address.

What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.

Rajmund Hruška wrote in #note-3:

What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.

Or to also recognize correct absolute ones.

Also - wouldn't we want to be on the safe side and whitelist allowed characters instead of whack-a-moling potentially dangerous ones?