From 31da9d424c618a18b410e81c0ba1a380b1c8889e Mon Sep 17 00:00:00 2001
From: Kumuditha - KD <kumudithag40@gmail.com>
Date: Thu, 23 Jan 2025 10:58:42 +0530
Subject: [PATCH 1/3] Add sanitation to self registration callback

---
 .../webapp/self-registration-username-request.jsp  | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp b/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp
index bb48f44a289..51b66b6bf0f 100644
--- a/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp
+++ b/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp
@@ -737,13 +737,16 @@
 
                         <div class="ui divider hidden"></div>
                         <%
-                            if (!StringUtils.equalsIgnoreCase(backToUrl,"null") && !StringUtils.isBlank(backToUrl)) {
+                            if (!StringUtils.equalsIgnoreCase(backToUrl, "null") &&
+                                !StringUtils.isBlank(backToUrl) &&
+                                !backToUrl.toLowerCase().contains("javascript:") &&
+                                !backToUrl.toLowerCase().contains("data:")) {
                         %>
                         <div class="buttons mt-2">
                             <div class="field external-link-container text-small">
                                 <%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle,
                                         "Already.have.an.account")%>
-                                <a href="<%= StringEscapeUtils.escapeHtml4(backToUrl) %>">
+                                <a href="<%=backToUrl%>">
                                     <%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, "Sign.in")%>
                                 </a>
                             </div>
@@ -1296,13 +1299,16 @@
                         </div>
                         <div class="ui divider hidden"></div>
                         <%
-                            if (!StringUtils.equalsIgnoreCase(backToUrl,"null") && !StringUtils.isBlank(backToUrl)) {
+                            if (!StringUtils.equalsIgnoreCase(backToUrl, "null") &&
+                                !StringUtils.isBlank(backToUrl) &&
+                                !backToUrl.toLowerCase().contains("javascript:") &&
+                                !backToUrl.toLowerCase().contains("data:")) {
                         %>
                         <div class="buttons mt-2">
                             <div class="field external-link-container text-small">
                                 <%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle,
                                         "Already.have.an.account")%>
-                                <a href="<%= StringEscapeUtils.escapeHtml4(backToUrl) %>">
+                                <a href="<%=backToUrl%>">
                                     <%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, "Sign.in")%>
                                 </a>
                             </div>

From debd77e3f54f4d57ef7c09af8d4a3c44159ff065 Mon Sep 17 00:00:00 2001
From: Kumuditha - KD <kumudithag40@gmail.com>
Date: Thu, 23 Jan 2025 11:00:42 +0530
Subject: [PATCH 2/3] =?UTF-8?q?Add=20changeset=20=F0=9F=A6=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .changeset/curly-bags-relate.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/curly-bags-relate.md

diff --git a/.changeset/curly-bags-relate.md b/.changeset/curly-bags-relate.md
new file mode 100644
index 00000000000..971e8235959
--- /dev/null
+++ b/.changeset/curly-bags-relate.md
@@ -0,0 +1,5 @@
+---
+"@wso2is/identity-apps-core": patch
+---
+
+Add sanitation to self registration callback

From 85c90ffc1efdfa143c502a16a36bec751572927b Mon Sep 17 00:00:00 2001
From: Kumuditha - KD <kumudithag40@gmail.com>
Date: Thu, 23 Jan 2025 11:55:21 +0530
Subject: [PATCH 3/3] Add file and ftp to sanitization

---
 .../src/main/webapp/self-registration-username-request.jsp    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp b/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp
index 51b66b6bf0f..89263d07fa0 100644
--- a/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp
+++ b/identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp
@@ -740,6 +740,8 @@
                             if (!StringUtils.equalsIgnoreCase(backToUrl, "null") &&
                                 !StringUtils.isBlank(backToUrl) &&
                                 !backToUrl.toLowerCase().contains("javascript:") &&
+                                !backToUrl.toLowerCase().contains("file:") &&
+                                !backToUrl.toLowerCase().contains("ftp:") &&
                                 !backToUrl.toLowerCase().contains("data:")) {
                         %>
                         <div class="buttons mt-2">
@@ -1302,6 +1304,8 @@
                             if (!StringUtils.equalsIgnoreCase(backToUrl, "null") &&
                                 !StringUtils.isBlank(backToUrl) &&
                                 !backToUrl.toLowerCase().contains("javascript:") &&
+                                !backToUrl.toLowerCase().contains("file:") &&
+                                !backToUrl.toLowerCase().contains("ftp:") &&
                                 !backToUrl.toLowerCase().contains("data:")) {
                         %>
                         <div class="buttons mt-2">