--- loncom/auth/lonlogin.pm	2021/09/27 02:49:36	1.185
+++ loncom/auth/lonlogin.pm	2021/10/10 23:22:30	1.191
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Login Screen
 #
-# $Id: lonlogin.pm,v 1.185 2021/09/27 02:49:36 raeburn Exp $
+# $Id: lonlogin.pm,v 1.191 2021/10/10 23:22:30 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -38,6 +38,8 @@ use Apache::lonlocal;
 use Apache::migrateuser();
 use lib '/home/httpd/lib/perl/';
 use LONCAPA qw(:DEFAULT :match);
+use URI::Escape;
+use HTML::Entities();
 use CGI::Cookie();
  
 sub handler {
@@ -60,6 +62,9 @@ sub handler {
         (!$env{'form.ltoken'}) && (!$env{'form.linkkey'})) {
         &Apache::lonacc::get_posted_cgi($r,['linkkey']);
     }
+    if ($env{'form.firsturl'} eq '/adm/logout') {
+        delete($env{'form.firsturl'});
+    }
 
 # -- check if they are a migrating user
     if (defined($env{'form.token'})) {
@@ -111,7 +116,6 @@ sub handler {
     }
 
     my $lonhost = $r->dir_config('lonHostID');
-    $env{'form.firsturl'} =~ s/(`)/'/g;
 
 # Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
 
@@ -123,7 +127,12 @@ sub handler {
             $protocol = 'http' if ($protocol ne 'https');
             my $dest = '/adm/roles';
             if ($env{'form.firsturl'} ne '') {
-                $dest = $env{'form.firsturl'};
+                if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                    $dest = &uri_escape_utf8($env{'form.firsturl'});
+                } else {
+                    $dest = &uri_escape($env{'form.firsturl'});
+                }
+                $dest = &HTML::Entities::encode($dest,"'");
             }
             my %info = (
                          balcookie => $lonhost.':'.$balancer_cookie,
@@ -141,7 +150,7 @@ sub handler {
             }
             my $balancer_token = &Apache::lonnet::tmpput(\%info,$found_server);
             if ($balancer_token) {
-                $dest .=  (($dest=~/\?/)?'&;':'?') . 'btoken='.$balancer_token;
+                $dest .=  (($dest=~/\?/)?'&amp;':'?') . 'btoken='.$balancer_token;
             }
             unless ($found_server eq $lonhost) {
                 my $alias = &Apache::lonnet::use_proxy_alias($r,$found_server);
@@ -203,7 +212,12 @@ sub handler {
 	    &Apache::loncommon::end_page();
         my $dest = '/adm/roles';
         if ($env{'form.firsturl'} ne '') {
-            $dest = $env{'form.firsturl'};
+            if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                $dest = &uri_escape_utf8($env{'form.firsturl'});
+            } else {
+                $dest = &uri_escape($env{'form.firsturl'});
+            }
+            $dest = &HTML::Entities::encode($dest,"'");
         }
         if (($env{'form.ltoken'}) || ($linkprot)) {
             unless ($linkprot) {
@@ -403,8 +417,6 @@ sub handler {
     }
     if ($env{'form.ltoken'}) {
         my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
-        &Apache::lonnet::tmpdel($env{'form.ltoken'});
-        delete($env{'form.ltoken'});
         if ($info{'linkprot'}) {
             if (!$tokenextras) {
                 $tokenextras = '&&&';
@@ -428,6 +440,10 @@ sub handler {
         if ($logtoken eq 'no_such_host') {
             &Apache::lonnet::logthis('No valid logtoken for log-in page -- unable to determine hostname for hostID: '.$lonhost.'. Check entry in hosts.tab');
         }
+        if ($env{'form.ltoken'}) {
+            &Apache::lonnet::tmpdel($env{'form.ltoken'});
+            delete($env{'form.ltoken'});
+        }
         my $spares='';
         my (@sparehosts,%spareservers);
         my $sparesref = &Apache::lonnet::this_host_spares($defdom);
@@ -654,7 +670,7 @@ ENDSAMLJS
 	       alink        => "$alink",
                onload       => 'javascript:enableInput();',);
 
-    my ($headextra,$headextra_exempt,%defaultdomconf);
+    my ($headextra,$headextra_exempt);
     $headextra = $defaultdomconf{$defdom.'.login.headtag_'.$lonhost_in_use};
     $headextra_exempt = $defaultdomconf{$domain.'.login.headtag_exempt_'.$lonhost_in_use};
     if ($headextra) {
@@ -795,15 +811,29 @@ HEADER
         if ($samlssourl  ne '') {
             $ssologin = $samlssourl;
         }
+        if ($env{'form.firsturl'} ne '') {
+            my $querystring = 'origurl=';
+            if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                $querystring .= &uri_escape_utf8($env{'form.firsturl'});
+            } else {
+                $querystring .= &uri_escape($env{'form.firsturl'});
+            }
+            $querystring = &HTML::Entities::encode($querystring,"'");
+            $ssologin .= (($ssologin=~/\?/)?'&amp;':'?') . $querystring;
+        }
+        if ($env{'form.ltoken'} ne '') {
+            $querystring .= (($querystring eq '')?'':'&amp;') . 'ltoken='.
+                              &HTML::Entities::encode(&uri_escape($env{'form.ltoken'}));
+        } elsif ($env{'form.linkkey'}) {
+            $querystring .= (($querystring eq '')?'':'&amp;') . 'linkkey='.
+                              &HTML::Entities::encode(&uri_escape($env{'form.linkkey'}));
+        }
         my $ssohref;
         if ($samlssoimg ne '') {
             $ssohref = '<a href="'.$ssologin.'" title="'.$samltooltip.'"><img src="'.$samlssoimg.'" alt="'.$samlssoalt.'" /></a>';
         } else {
             $ssohref = '<a href="'.$ssologin.'">'.$samlssotext.'</a>';
         }
-        if ($env{'form.firsturl'}) {
-            $ssologin .= '?origurl='.&HTML::Entities::encode($env{'form.firsturl'},'<>&"');
-        }
         if (($env{'form.saml'} eq 'no') ||
             (($env{'form.username'} ne '') && ($env{'form.domain'} ne ''))) {
             $ssoauthstyle = 'none';
@@ -828,6 +858,11 @@ $coursecatalog
 </div>
 </div>
 ENDSAML
+    } else {
+        if ($env{'form.ltoken'}) {
+            &Apache::lonnet::tmpdel($env{'form.ltoken'});
+            delete($env{'form.ltoken'});
+        }
     }
 
     $r->print(<<ENDLOGIN);
@@ -1021,12 +1056,19 @@ sub redirect_page {
     }
     my $url = $protocol.'://'.$hostname.$path;
     if ($env{'form.firsturl'} ne '') {
-        $url .='?firsturl='.$env{'form.firsturl'};
+        my $querystring;
+        if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+            $querystring = &uri_escape_utf8($env{'form.firsturl'});
+        } else {
+            $querystring = &uri_escape($env{'form.firsturl'});
+        }
+        $querystring = &HTML::Entities::encode($querystring,"'");
+        $url .='?firsturl='.$querystring
     }
     if ($linkprot) {
         my $ltoken = &Apache::lonnet::tmpput({linkprot => $linkprot},$desthost);
         if ($ltoken) {
-            $url .= (($url =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
+            $url .= (($url =~ /\?/) ? '&amp;' : '?').'ltoken='.$ltoken;
         }
     }
     my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,