LEMONLDAP::NG : XSS prevention

modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDA.pm

@@ -30,7 +30,7 @@ sub autoRedirect {
     my $cookieName = $self->{cookieName};
 
     if (    $self->{urldc}
-        and $self->{urldc} !~ m#https?://[^/]*$tmp/#oi
+        and $self->{urldc} !~ m#^https?://[^/]*$tmp/#oi
         and $self->{id}
         and $self->{urldc} !~ m#[\?&]?$cookieName=\w+&?#oi )
     {

modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm

@@ -396,7 +396,7 @@ sub controlUrlOrigin {
         $self->{urldc} = decode_base64( $self->param('url') );
 
         # REJECT <, " and ' in URL or encoded '%' and non protected hosts
-        if (   $self->{urldc} =~ /(?:<|'|"|\%(?:25|3C))/
+        if (   $self->{urldc} =~ /(?:<|'|"|`|\%(?:25|3C|22|27|2C))/
             or $self->{urldc} !~ m#^https?://$self->{reVHosts}# )
         {
             delete $self->{urldc};