http://firstname.lastname@example.org the above URL redirects to attacker.com and should bypass the regex because having the prompt.ml.
To bypassdecodeURIComponent(), we simply have to use %2f which is a URL encoded representation for the /. And our bypass is:
A url that starts with two forward slashes is treated as absolute by browsers.
The next try should be \/evilzone.org, since most browsers render \ back to / this usually bypass the check and create //evilzone.org (you can read more about this from @homrkov’s Evolution of Open Redirection post)