From e9f25bc2a721498e5e7f9e2cc92079ec61b4b6e3 Mon Sep 17 00:00:00 2001
From: Krzysztof Pajak <krzysiek@grandnode.com>
Date: Wed, 7 Jan 2026 20:23:35 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 316: URL
 redirection from remote source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/Web/Grand.Web/Controllers/CommonController.cs | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Web/Grand.Web/Controllers/CommonController.cs b/src/Web/Grand.Web/Controllers/CommonController.cs
index 9c4d14b15..8b385a0d5 100644
--- a/src/Web/Grand.Web/Controllers/CommonController.cs
+++ b/src/Web/Grand.Web/Controllers/CommonController.cs
@@ -266,10 +266,11 @@ public virtual async Task<IActionResult> SetStore(
             }
 
         //prevent open redirection attack
-        if (!Url.IsLocalUrl(returnUrl))
-            returnUrl = Url.RouteUrl("HomePage");
+        var redirectUrl = Url.RouteUrl("HomePage");
+        if (Url.IsLocalUrl(returnUrl))
+            redirectUrl = returnUrl;
 
-        return Redirect(returnUrl);
+        return Redirect(redirectUrl);
 
         void SetStoreCookie(Domain.Stores.Store store)
         {