--------------------------------------------------------------------------------
I have confirmed that the changes below fix this problem.
<pre><code class="diff">
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 06e2d702c1..afbb30f3ee 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -440,7 +440,7 @@ class ApplicationController < ActionController::Base
end

begin
- uri = URI.parse(back_url)
+ uri = URI.parse(URI.encode(back_url))
rescue URI::InvalidURIError
return false
end

</code></pre>

However, I am concerned that this change will cause other problems.
ApplicationController#validate_back_url is a method that includes security changes(#19577), so it needs to be corrected carefully.
--------------------------------------------------------------------------------
I think that the patch attached is better than the correction method suggested in #31552#note-2.

The issues/_list also make the back_url parameter in the same way.
The same problem occurred with the calendar, so we fix it together.
--------------------------------------------------------------------------------
Mizuki ISHIKAWA wrote:
> The issues/_list also make the back_url parameter in the same way.

source:tags/4.0.4/app/views/issues/_list.html.erb#L5 and source:tags/4.0.4/app/views/timelog/_list.html.erb#L2.

Setting the target version to 4.0.5.
--------------------------------------------------------------------------------
Committed the patch. Thank you all for reporting and fixing this issue.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

relates,New,31831,Back url parse in validation