From fe3948f3a40c2633bc532aca577406c66a18ad59 Mon Sep 17 00:00:00 2001
From: Chris McCord <chris@chrismccord.com>
Date: Thu, 13 Apr 2023 12:16:20 -0400
Subject: [PATCH] Handle \t as well

---
 lib/phoenix/controller.ex                   | 2 +-
 test/phoenix/controller/controller_test.exs | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/phoenix/controller.ex b/lib/phoenix/controller.ex
index b51ba03491..5cc2d1315e 100644
--- a/lib/phoenix/controller.ex
+++ b/lib/phoenix/controller.ex
@@ -506,7 +506,7 @@ defmodule Phoenix.Controller do
     end
   end
 
-  @invalid_local_url_chars ["\\", "\%"]
+  @invalid_local_url_chars ["\\", "/%", "/\t"]
   defp validate_local_url("//" <> _ = to), do: raise_invalid_url(to)
 
   defp validate_local_url("/" <> _ = to) do
diff --git a/test/phoenix/controller/controller_test.exs b/test/phoenix/controller/controller_test.exs
index a99ea49d59..64db87e558 100644
--- a/test/phoenix/controller/controller_test.exs
+++ b/test/phoenix/controller/controller_test.exs
@@ -386,6 +386,10 @@ defmodule Phoenix.Controller.ControllerTest do
       assert_raise ArgumentError, ~r/unsafe/, fn ->
         redirect(conn(:get, "/"), to: "/%09/example.com")
       end
+
+      assert_raise ArgumentError, ~r/unsafe/, fn ->
+        redirect(conn(:get, "/"), to: "/\t/example.com")
+      end
     end
 
     test "with :external" do