From d12fde2db5e0705a04e41467ac7a70c7488b212f Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Sun, 22 Mar 2026 10:13:44 -0400
Subject: [PATCH 1/2] Allow external redirects from Form::getSubmissionRedirect

Move the external URL check into formSuccessRedirect so it only
blocks user-controlled _redirect params, not trusted developer-defined
redirects via Form::getSubmissionRedirect.

Fixes #14317

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/Http/Controllers/FormController.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/Http/Controllers/FormController.php b/src/Http/Controllers/FormController.php
index 5913d19990..8115ae7b75 100644
--- a/src/Http/Controllers/FormController.php
+++ b/src/Http/Controllers/FormController.php
@@ -154,9 +154,7 @@ private function formSuccess($params, $submission, $silentFailure = false)
             ]);
         }
 
-        $response = $redirect && ! \Statamic\Facades\URL::isExternalToApplication($redirect)
-            ? redirect($redirect)
-            : back();
+        $response = $redirect ? redirect($redirect) : back();
 
         if (! \Statamic\Facades\URL::isExternal($redirect)) {
             session()->flash("form.{$submission->form()->handle()}.success", __('Submission successful.'));
@@ -171,6 +169,10 @@ private function formSuccessRedirect($params, $submission)
     {
         if (! $redirect = Form::getSubmissionRedirect($submission)) {
             $redirect = Arr::get($params, '_redirect');
+
+            if ($redirect && \Statamic\Facades\URL::isExternalToApplication($redirect)) {
+                return null;
+            }
         }
 
         return $redirect;

From 38186c471fe98297f53aa1efc311048ddb4a4235 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Sun, 22 Mar 2026 10:27:54 -0400
Subject: [PATCH 2/2] Refactor formSuccessRedirect to use early return for
 developer-defined redirects

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/Http/Controllers/FormController.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/Http/Controllers/FormController.php b/src/Http/Controllers/FormController.php
index 8115ae7b75..9de616b57e 100644
--- a/src/Http/Controllers/FormController.php
+++ b/src/Http/Controllers/FormController.php
@@ -167,12 +167,14 @@ private function formSuccess($params, $submission, $silentFailure = false)
 
     private function formSuccessRedirect($params, $submission)
     {
-        if (! $redirect = Form::getSubmissionRedirect($submission)) {
-            $redirect = Arr::get($params, '_redirect');
+        if ($redirect = Form::getSubmissionRedirect($submission)) {
+            return $redirect;
+        }
 
-            if ($redirect && \Statamic\Facades\URL::isExternalToApplication($redirect)) {
-                return null;
-            }
+        $redirect = Arr::get($params, '_redirect');
+
+        if ($redirect && \Statamic\Facades\URL::isExternalToApplication($redirect)) {
+            return null;
         }
 
         return $redirect;