--- loncom/auth/lonlogin.pm	2021/09/27 02:49:36	1.185
+++ loncom/auth/lonlogin.pm	2021/09/28 21:16:07	1.187
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Login Screen
 #
-# $Id: lonlogin.pm,v 1.185 2021/09/27 02:49:36 raeburn Exp $
+# $Id: lonlogin.pm,v 1.187 2021/09/28 21:16:07 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -123,7 +123,7 @@ sub handler {
             $protocol = 'http' if ($protocol ne 'https');
             my $dest = '/adm/roles';
             if ($env{'form.firsturl'} ne '') {
-                $dest = $env{'form.firsturl'};
+                $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
             }
             my %info = (
                          balcookie => $lonhost.':'.$balancer_cookie,
@@ -141,7 +141,7 @@ sub handler {
             }
             my $balancer_token = &Apache::lonnet::tmpput(\%info,$found_server);
             if ($balancer_token) {
-                $dest .=  (($dest=~/\?/)?'&;':'?') . 'btoken='.$balancer_token;
+                $dest .=  (($dest=~/\?/)?'&amp;':'?') . 'btoken='.$balancer_token;
             }
             unless ($found_server eq $lonhost) {
                 my $alias = &Apache::lonnet::use_proxy_alias($r,$found_server);
@@ -203,7 +203,7 @@ sub handler {
 	    &Apache::loncommon::end_page();
         my $dest = '/adm/roles';
         if ($env{'form.firsturl'} ne '') {
-            $dest = $env{'form.firsturl'};
+            $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
         }
         if (($env{'form.ltoken'}) || ($linkprot)) {
             unless ($linkprot) {
@@ -654,7 +654,7 @@ ENDSAMLJS
 	       alink        => "$alink",
                onload       => 'javascript:enableInput();',);
 
-    my ($headextra,$headextra_exempt,%defaultdomconf);
+    my ($headextra,$headextra_exempt);
     $headextra = $defaultdomconf{$defdom.'.login.headtag_'.$lonhost_in_use};
     $headextra_exempt = $defaultdomconf{$domain.'.login.headtag_exempt_'.$lonhost_in_use};
     if ($headextra) {
@@ -795,15 +795,16 @@ HEADER
         if ($samlssourl  ne '') {
             $ssologin = $samlssourl;
         }
+        if ($env{'form.firsturl'} ne '') {
+            $ssologin .= (($ssologin=~/\?/)?'&amp;':'?') .
+                         'origurl='.&HTML::Entities::encode($env{'form.firsturl'},'\'<>&"');
+        }
         my $ssohref;
         if ($samlssoimg ne '') {
             $ssohref = '<a href="'.$ssologin.'" title="'.$samltooltip.'"><img src="'.$samlssoimg.'" alt="'.$samlssoalt.'" /></a>';
         } else {
             $ssohref = '<a href="'.$ssologin.'">'.$samlssotext.'</a>';
         }
-        if ($env{'form.firsturl'}) {
-            $ssologin .= '?origurl='.&HTML::Entities::encode($env{'form.firsturl'},'<>&"');
-        }
         if (($env{'form.saml'} eq 'no') ||
             (($env{'form.username'} ne '') && ($env{'form.domain'} ne ''))) {
             $ssoauthstyle = 'none';
@@ -1021,12 +1022,12 @@ sub redirect_page {
     }
     my $url = $protocol.'://'.$hostname.$path;
     if ($env{'form.firsturl'} ne '') {
-        $url .='?firsturl='.$env{'form.firsturl'};
+        $url .='?firsturl='.&HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');;
     }
     if ($linkprot) {
         my $ltoken = &Apache::lonnet::tmpput({linkprot => $linkprot},$desthost);
         if ($ltoken) {
-            $url .= (($url =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
+            $url .= (($url =~ /\?/) ? '&amp;' : '?').'ltoken='.$ltoken;
         }
     }
     my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,