Fix code scanning alert no. 124: Cross-site scripting (#482)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: Liteolika

samples/IdentityServer.ServerSample/Controllers/AccountController.cs

@@ -2,7 +2,7 @@
 using Duende.IdentityServer.Services;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Mvc;
-
+using System.Net;
 namespace IdentityServer.ServerSample.Controllers;
 
 public class AccountController : Controller
@@ -23,7 +23,8 @@ public async Task<IActionResult> Login(string returnUrl)
         var providers = schemes
             .Where(x => x.DisplayName != null)
             .Select(x => new ExternalProvider(x.DisplayName ?? x.Name, x.Name));
-        var viewModel = new AccountLoginViewModel(providers, returnUrl);
+        var sanitizedReturnUrl = System.Net.WebUtility.HtmlEncode(returnUrl);
+        var viewModel = new AccountLoginViewModel(providers, sanitizedReturnUrl);
 
         return View(viewModel);
     }

samples/IdentityServer.ServerSample/Views/Account/Login.cshtml

@@ -17,7 +17,7 @@
                 <a class="btn btn-primary btn-lg"
                    asp-action="ExternalLogin"
                    asp-route-provider="@provider.AuthenticationScheme"
-                   asp-route-returnUrl="@Model.ReturnUrl">
+                   asp-route-returnUrl="@Html.Raw(Model.ReturnUrl)">
                     @provider.DisplayName
                 </a>
             }