Login: Filter redirect URLs (#88726)

* Login: Filter redirect URLs

* Remove safeProtocolUrl() usage

Author: tyxla

client/login/redirect-logged-in/index.web.js

@@ -1,14 +1,37 @@
-import safeProtocolUrl from 'calypso/lib/safe-protocol-url';
 import { isUserLoggedIn } from 'calypso/state/current-user/selectors';
 
+/**
+ * For this context, we consider external URLs that are NOT:
+ * - Relative paths (`/test`)
+ * - Absolute URLs on https://wordpress.com/*
+ * @param {string} url URL to check
+ * @returns {boolean}
+ */
+function isExternalUrl( url ) {
+	if ( url.startsWith( '/' ) ) {
+		return false;
+	}
+
+	try {
+		const urlObject = new URL( url );
+		if ( urlObject.hostname === 'wordpress.com' && urlObject.protocol === 'https:' ) {
+			return false;
+		}
+	} catch {
+		return true;
+	}
+
+	return true;
+}
+
 export default function redirectLoggedIn( context, next ) {
 	const userLoggedIn = isUserLoggedIn( context.store.getState() );
 
 	if ( userLoggedIn ) {
 		// force full page reload to avoid SSR hydration issues.
 		// Redirect parameters should have higher priority.
-		let url = safeProtocolUrl( context?.query?.redirect_to );
-		if ( ! url || url === 'http:' ) {
+		let url = context?.query?.redirect_to;
+		if ( ! url || isExternalUrl( url ) ) {
 			url = '/';
 		}
 		window.location = url;