xss fix

Author: Kerwin Sun

src/hello.js

@@ -1513,11 +1513,20 @@ hello.utils.extend(hello.utils, {
 		// (URI Fragments within 302 Location URI are lost over HTTPS)
 		// Loading the redirect.html before triggering the OAuth Flow seems to fix it.
 		else if ('oauth_redirect' in p) {
+			var url = decodeURIComponent(p.oauth_redirect);
+
+			if (isValidUrl(url)) {
+				location.assign(url);
+			}
 
-			location.assign(decodeURIComponent(p.oauth_redirect));
 			return;
 		}
 
+		function isValidUrl(url) {
+			var regexp = /^https?:/;
+			return regexp.test(url);
+		}
+
 		// Trigger a callback to authenticate
 		function authCallback(obj, window, parent) {