From 65c977b151958957fc295599c6ce159acd233471 Mon Sep 17 00:00:00 2001
From: Barry GIBNEY <Barry.GIBNEY@education.gov.uk>
Date: Tue, 26 Nov 2024 15:38:27 +0000
Subject: [PATCH] Accessing Parent directory validation

---
 Web/Edubase.Web.UI/Controllers/HomeController.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Web/Edubase.Web.UI/Controllers/HomeController.cs b/Web/Edubase.Web.UI/Controllers/HomeController.cs
index 1542d050d..a5cdde69c 100644
--- a/Web/Edubase.Web.UI/Controllers/HomeController.cs
+++ b/Web/Edubase.Web.UI/Controllers/HomeController.cs
@@ -95,7 +95,7 @@ public ActionResult CookieChoices(bool acceptAnalyticsCookies)
             var returnTo = Request.Form["OriginatingPage"];
             Response.Cookies.Set(new HttpCookie(UserPrefsCookieName, acceptAnalyticsCookies.ToString()) { Expires = DateTime.Today.AddDays(28), SameSite = SameSiteMode.Lax, Domain = cookieDomain });
             TempData["CookiesPrefsSaved"] = acceptAnalyticsCookies;
-            if (returnTo != null)
+            if (!string.IsNullOrEmpty(returnTo) && urlHelper.IsLocalUrl(returnTo))
             {
                 return Redirect(returnTo);
             }