Bug 31699: (follow-up) Protect against unauthorized redirects

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e0760fd185)
Signed-off-by: Jacob O'Mara <jacob.omara@ptfs-europe.com>

koha-tmpl/opac-tmpl/bootstrap/js/global.js

@@ -228,7 +228,7 @@ $(document).ready(function(){
         var button = $(this);
         var context = button.data('return');
         if ( context ) {
-            $('#modalAuth').append('<input type="hidden" name="return" value="'+window.location+'" />');
+            $('#modalAuth').append('<input type="hidden" name="return" value="'+window.location.pathname+window.location.search+'" />');
         }
         $("#loginModal").modal("show");
     });

opac/opac-user.pl

@@ -428,8 +428,10 @@ if ($search_query) {
 # back to the page we triggered the login from
 my $return = $query->param('return');
 if ( $return ) {
+    my $uri = C4::Context->preference('OPACBaseURL');
+    $uri .= $return;
     print $query->redirect(
-        -uri    => $return,
+        -uri    => $uri,
         -cookie => $cookie,
     );
 }