Regression on dest parameter sanitization doesn't check scheme/websafe destinations

Hi team, I get Xss via blocked:alert() url on login page parameter dest= ###Payload Url Xss : ```blocked:alert(document.domain);``` ##XSS Javascript URL ###Steps and reproduction : - Using a browser, navigate to: https://www.reddit.com/login/?dest=https%3A%2F%2Fwww.reddit.com%2F - Copy and modify the "dest" parameters so that the URL redirects to dest=blocked:alert(document.domain); - Send this in a new browser window and after login you will get a pop up (Xss Triggered). ##Proof of Concept (PoC) : https://www.reddit.com/login/?dest=blocked:alert(document.domain); {F2316733} Reference : https://brightsec.com/blog/open-redirect-vulnerabilities/ https://hackerone.com/reports/1930763 ## Impact When an attacker manages to perform a redirect in JavaScript, many dangerous vulnerabilities may occur. As Open Redirects are mostly used in phishing scams, people are not aware of the fact that Open Redirects can also be part of more complex attack chains where multiple vulnerabilities are exploited. And JavaScript-based Open Redirect is a key part of that chain. For example, redirecting the user to blocked: something() ends up being a dangerous Cross-Site Scripting injection. and the attacker can steal the victim's cookies