C#: Can AuthorizeAttribute.GetRedi
() be hacked?
I see the following over-ride of GetRedirectResult()
private ActionResult GetRedirectResult(AuthorizationContext context, string controller, string action, string clientId = null,
List<KeyValuePair<string, object>> additionalParameters = null)
var returnUrl = context.HttpContext.Request.RawUrl;
but notice the value for Request.RawUrl is a simple path, generated by our code:
So, I wonder if I need to do any URL sanitizing on this, given it seems based on C# and not user generated.
Is this something that can be ignored?