Use safe_redirect_path in admin redirects

This makes sure all redirects we do in the admin via do_redirect_to uses a safe redirect url.

app/controllers/alchemy/admin/base_controller.rb

@@ -120,16 +120,23 @@ def render_errors_or_redirect(object, redirect_url, flash_notice)
         end
       end
 
-      # Does redirects for html and js requests
+      # Does redirects for html, turbo_stream and js requests
+      #
+      # Makes sure that the redirect path is safe.
       #
       def do_redirect_to(url_or_path)
+        redirect_path = safe_redirect_path(url_or_path)
         respond_to do |format|
           format.js do
-            @redirect_url = url_or_path
+            @redirect_url = redirect_path
             render :redirect
           end
-          format.turbo_stream { redirect_to(url_or_path) }
-          format.html { redirect_to(url_or_path) }
+          format.turbo_stream do
+            redirect_to(redirect_path, allow_other_host: false)
+          end
+          format.html do
+            redirect_to(redirect_path, allow_other_host: false)
+          end
         end
       end
 

app/controllers/alchemy/admin/languages_controller.rb

@@ -40,7 +40,7 @@ def destroy
       def switch
         @language = set_alchemy_language(params[:language_id])
         session[:alchemy_language_id] = @language.id
-        do_redirect_to request.referer || alchemy.admin_dashboard_path
+        do_redirect_to URI(request.referer).path || alchemy.admin_dashboard_path
       end
 
       private

app/controllers/alchemy/admin/pages_controller.rb

@@ -193,11 +193,7 @@ def unlock
       end
 
       def unlock_redirect_path
-        if params[:redirect_to].to_s.match?(/\A\/admin\/(layout_)?pages/)
-          params[:redirect_to]
-        else
-          admin_pages_path
-        end
+        safe_redirect_path(fallback: admin_pages_path)
       end
 
       # Sets the page public and updates the published_at attribute that is used as cache_key