[#72917] Improve / harden redirect logic for historic identifiers

Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: judithroth

app/controllers/application_controller.rb

@@ -263,7 +263,18 @@ def find_project_by_project_id
   def redirect_if_historical_project_identifier(identifier_param_key)
     param = params[identifier_param_key]
     if request.get? && param.friendly_id? && param != @project.identifier
-      redirect_to url_for(params.to_unsafe_h.merge(identifier_param_key => @project.identifier)),
+      # Reconstruct the URL from path + query parameters, and prevent user-supplied
+      # options such as :host or :protocol from influencing the redirect target.
+      safe_path_params  = request.path_parameters.symbolize_keys
+      safe_query_params = request.query_parameters.symbolize_keys
+
+      # Ensure the identifier in the path matches the current project identifier.
+      safe_path_params[identifier_param_key] = @project.identifier
+
+      # Remove any URL option keys that could affect the redirect target.
+      safe_query_params.except!(:host, :protocol, :subdomain, :domain, :port)
+
+      redirect_to url_for(safe_path_params.merge(safe_query_params).merge(only_path: true)),
                   status: :moved_permanently
     end
   end