diff --git a/components/server/src/user/user-controller.ts b/components/server/src/user/user-controller.ts
index c62964420cbc2e..bd3b68596ce953 100644
--- a/components/server/src/user/user-controller.ts
+++ b/components/server/src/user/user-controller.ts
@@ -81,6 +81,7 @@ export class UserController {
             }
 
             // Proceed with login
+            this.ensureSafeReturnToParam(req);
             await this.authenticator.authenticate(req, res, next);
         });
         router.get("/authorize", (req: express.Request, res: express.Response, next: express.NextFunction) => {
@@ -88,6 +89,7 @@ export class UserController {
                 res.sendStatus(401);
                 return;
             }
+            this.ensureSafeReturnToParam(req);
             this.authenticator.authorize(req, res, next);
         });
         const branding = this.env.brandingConfig;
@@ -483,6 +485,10 @@ export class UserController {
         }
     }
 
+    protected ensureSafeReturnToParam(req: express.Request) {
+        req.query.returnTo = this.getSafeReturnToParam(req);
+    }
+
     protected getSafeReturnToParam(req: express.Request) {
         const returnToURL: string | undefined = req.query.redirect || req.query.returnTo;
         if (returnToURL) {