Location
lib/same-site-redirect.js:58
Problem
sameSiteRedirectPath validates both the encoded and decoded form of the redirect path, but return s at the end returns the original encoded string. A caller passing %2Fhome gets back %2Fhome instead of /home.
Browsers handle this correctly (both navigate to the same place), but the inconsistency between the validation logic and the return value is surprising and could cause subtle issues if the return value is ever used in a non-navigation context (e.g. logged, compared as a string).
Suggested fix
// line 58 -- return the canonical decoded path
return decoded;
This is a low-risk change: the decoded value has already passed all safety checks by this point.
Location
lib/same-site-redirect.js:58Problem
sameSiteRedirectPathvalidates both the encoded and decoded form of the redirect path, butreturn sat the end returns the original encoded string. A caller passing%2Fhomegets back%2Fhomeinstead of/home.Browsers handle this correctly (both navigate to the same place), but the inconsistency between the validation logic and the return value is surprising and could cause subtle issues if the return value is ever used in a non-navigation context (e.g. logged, compared as a string).
Suggested fix
This is a low-risk change: the decoded value has already passed all safety checks by this point.