diff --git a/packages/admin/src/lib/testPassword.ts b/packages/admin/src/lib/testPassword.ts
index 7570e431b..9402668d8 100644
--- a/packages/admin/src/lib/testPassword.ts
+++ b/packages/admin/src/lib/testPassword.ts
@@ -16,6 +16,7 @@ const mutableStdout = new Writable({
     },
 });
 
+// eslint-disable-next-line @typescript-eslint/no-floating-promises
 checkWellKnownPasswords().then(found => {
     if (found) {
         console.log(`Found well-known password: ${JSON.stringify(found)}`);
diff --git a/packages/admin/src/lib/web.ts b/packages/admin/src/lib/web.ts
index 20a38039e..25fa0f1c8 100644
--- a/packages/admin/src/lib/web.ts
+++ b/packages/admin/src/lib/web.ts
@@ -23,14 +23,6 @@ import * as session from 'express-session';
 import * as bodyParser from 'body-parser';
 import * as cookieParser from 'cookie-parser';
 
-function isLocalUrl(path: string): boolean {
-    try {
-        return new URL(path, "http://127.0.0.1:3000").origin === "http://127.0.0.1:3000";
-    } catch (e) {
-        return false;
-    }
-}
-
 export interface AdminAdapterConfig extends ioBroker.AdapterConfig {
     accessAllowedConfigs: string[];
     accessAllowedTabs: string[];
@@ -123,6 +115,14 @@ function escapeHtml(string: string): string {
     return lastIndex !== index ? html + str.substring(lastIndex, index) : html;
 }
 
+function isLocalUrl(path: string): boolean {
+    try {
+        return new URL(path, 'http://127.0.0.1:3000').origin === 'http://127.0.0.1:3000';
+    } catch {
+        return false;
+    }
+}
+
 function get404Page(customText?: string): string {
     if (customText) {
         return page404.replace('<div class="custom-message"></div>', `<div class="custom-message">${customText}</div>`);
@@ -622,10 +622,10 @@ class Web {
                     req.body = req.body || {};
                     const isDev = req.url.includes('?dev&');
 
-                    const origin = req.body.origin || '?href=%2F';
+                    const origin = (req.body.origin || '?href=%2F').trim();
                     if (origin) {
-                        const parts = origin.match(/href=(.+)$/);
-                        if (parts && parts.length > 1 && parts[1]) {
+                        const parts = origin.split('href=');
+                        if (parts?.length > 1 && parts[1]) {
                             redirect = decodeURIComponent(parts[1]);
                             // if some invalid characters in redirect
                             if (redirect.match(/[^-_a-zA-Z0-9&%?./]/) || !isLocalUrl(redirect)) {