--- loncom/auth/lonlogin.pm	2021/09/28 21:16:07	1.187
+++ loncom/auth/lonlogin.pm	2021/10/10 23:22:30	1.191
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Login Screen
 #
-# $Id: lonlogin.pm,v 1.187 2021/09/28 21:16:07 raeburn Exp $
+# $Id: lonlogin.pm,v 1.191 2021/10/10 23:22:30 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -38,6 +38,8 @@ use Apache::lonlocal;
 use Apache::migrateuser();
 use lib '/home/httpd/lib/perl/';
 use LONCAPA qw(:DEFAULT :match);
+use URI::Escape;
+use HTML::Entities();
 use CGI::Cookie();
  
 sub handler {
@@ -60,6 +62,9 @@ sub handler {
         (!$env{'form.ltoken'}) && (!$env{'form.linkkey'})) {
         &Apache::lonacc::get_posted_cgi($r,['linkkey']);
     }
+    if ($env{'form.firsturl'} eq '/adm/logout') {
+        delete($env{'form.firsturl'});
+    }
 
 # -- check if they are a migrating user
     if (defined($env{'form.token'})) {
@@ -111,7 +116,6 @@ sub handler {
     }
 
     my $lonhost = $r->dir_config('lonHostID');
-    $env{'form.firsturl'} =~ s/(`)/'/g;
 
 # Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer)
 
@@ -123,7 +127,12 @@ sub handler {
             $protocol = 'http' if ($protocol ne 'https');
             my $dest = '/adm/roles';
             if ($env{'form.firsturl'} ne '') {
-                $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
+                if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                    $dest = &uri_escape_utf8($env{'form.firsturl'});
+                } else {
+                    $dest = &uri_escape($env{'form.firsturl'});
+                }
+                $dest = &HTML::Entities::encode($dest,"'");
             }
             my %info = (
                          balcookie => $lonhost.':'.$balancer_cookie,
@@ -203,7 +212,12 @@ sub handler {
 	    &Apache::loncommon::end_page();
         my $dest = '/adm/roles';
         if ($env{'form.firsturl'} ne '') {
-            $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
+            if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                $dest = &uri_escape_utf8($env{'form.firsturl'});
+            } else {
+                $dest = &uri_escape($env{'form.firsturl'});
+            }
+            $dest = &HTML::Entities::encode($dest,"'");
         }
         if (($env{'form.ltoken'}) || ($linkprot)) {
             unless ($linkprot) {
@@ -403,8 +417,6 @@ sub handler {
     }
     if ($env{'form.ltoken'}) {
         my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
-        &Apache::lonnet::tmpdel($env{'form.ltoken'});
-        delete($env{'form.ltoken'});
         if ($info{'linkprot'}) {
             if (!$tokenextras) {
                 $tokenextras = '&&&';
@@ -428,6 +440,10 @@ sub handler {
         if ($logtoken eq 'no_such_host') {
             &Apache::lonnet::logthis('No valid logtoken for log-in page -- unable to determine hostname for hostID: '.$lonhost.'. Check entry in hosts.tab');
         }
+        if ($env{'form.ltoken'}) {
+            &Apache::lonnet::tmpdel($env{'form.ltoken'});
+            delete($env{'form.ltoken'});
+        }
         my $spares='';
         my (@sparehosts,%spareservers);
         my $sparesref = &Apache::lonnet::this_host_spares($defdom);
@@ -796,8 +812,21 @@ HEADER
             $ssologin = $samlssourl;
         }
         if ($env{'form.firsturl'} ne '') {
-            $ssologin .= (($ssologin=~/\?/)?'&amp;':'?') .
-                         'origurl='.&HTML::Entities::encode($env{'form.firsturl'},'\'<>&"');
+            my $querystring = 'origurl=';
+            if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+                $querystring .= &uri_escape_utf8($env{'form.firsturl'});
+            } else {
+                $querystring .= &uri_escape($env{'form.firsturl'});
+            }
+            $querystring = &HTML::Entities::encode($querystring,"'");
+            $ssologin .= (($ssologin=~/\?/)?'&amp;':'?') . $querystring;
+        }
+        if ($env{'form.ltoken'} ne '') {
+            $querystring .= (($querystring eq '')?'':'&amp;') . 'ltoken='.
+                              &HTML::Entities::encode(&uri_escape($env{'form.ltoken'}));
+        } elsif ($env{'form.linkkey'}) {
+            $querystring .= (($querystring eq '')?'':'&amp;') . 'linkkey='.
+                              &HTML::Entities::encode(&uri_escape($env{'form.linkkey'}));
         }
         my $ssohref;
         if ($samlssoimg ne '') {
@@ -829,6 +858,11 @@ $coursecatalog
 </div>
 </div>
 ENDSAML
+    } else {
+        if ($env{'form.ltoken'}) {
+            &Apache::lonnet::tmpdel($env{'form.ltoken'});
+            delete($env{'form.ltoken'});
+        }
     }
 
     $r->print(<<ENDLOGIN);
@@ -1022,7 +1056,14 @@ sub redirect_page {
     }
     my $url = $protocol.'://'.$hostname.$path;
     if ($env{'form.firsturl'} ne '') {
-        $url .='?firsturl='.&HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');;
+        my $querystring;
+        if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) {
+            $querystring = &uri_escape_utf8($env{'form.firsturl'});
+        } else {
+            $querystring = &uri_escape($env{'form.firsturl'});
+        }
+        $querystring = &HTML::Entities::encode($querystring,"'");
+        $url .='?firsturl='.$querystring
     }
     if ($linkprot) {
         my $ltoken = &Apache::lonnet::tmpput({linkprot => $linkprot},$desthost);