fix: prevent XSS in returnToPath parameter by validating protocol (#20965)

The returnToPath parameter validation was vulnerable to XSS attacks using
javascript: protocol URLs with matching hostnames (e.g., javascript://gitpod.io/).
This fix ensures only HTTPS URLs with matching hostnames are trusted.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <[email protected]>

Author: iQQBot

components/dashboard/src/utils.test.ts

@@ -45,6 +45,12 @@ test("urlHash and isTrustedUrlOrPath", () => {
         { location: "/", trusted: true },
         // eslint-disable-next-line no-script-url
         { location: "javascript:alert(1)", trusted: false },
+        // XSS bypass attempt with javascript: protocol and matching hostname
+        // eslint-disable-next-line no-script-url
+        { location: "javascript://example.org/%250aalert(1)", trusted: false },
+        // Other protocol attempts
+        { location: "data:text/html,<script>alert(1)</script>", trusted: false },
+        { location: "vbscript:alert(1)", trusted: false },
     ];
     isTrustedUrlOrPathCases.forEach(({ location, trusted }) => {
         expect(isTrustedUrlOrPath(location)).toBe(trusted);

components/dashboard/src/utils.ts

@@ -227,7 +227,9 @@ export function parseUrl(url: string): URL | null {
 
 export function isTrustedUrlOrPath(urlOrPath: string) {
     const url = parseUrl(urlOrPath);
-    const isTrusted = url ? window.location.hostname === url.hostname : urlOrPath.startsWith("/");
+    const isTrusted = url
+        ? window.location.hostname === url.hostname && url.protocol === "https:"
+        : urlOrPath.startsWith("/");
     if (!isTrusted) {
         console.warn("Untrusted URL", urlOrPath);
     }