fix(analytics): DATA-13050 Generate text correctly when product name has number sign in name

bc-facundo-yuffrida · bc-facundo-yuffrida · commit e8f5da7778b8 · 2025-12-22T15:57:37.000+01:00
diff --git a/src/app/api/app/load/route.ts b/src/app/api/app/load/route.ts
@@ -29,13 +29,45 @@ const jwtSchema = z.object({
   channel_id: z.number().nullable(),
 });
 
-export async function GET(request: NextRequest) {
-  function appendExchangeToken(url: string, token: string): string {
-    const delimiter = new URL(url, env.APP_ORIGIN).search ? '&' : '?';
+/**
+ * It can be provided a URL where `product_name` contains raw reserved characters
+ * (e.g. "Widget #2", "AT&T", "plus+sign"). These can be interpreted as URL delimiters
+ * (`#` fragment, `&` query separator, `+` becomes space in x-www-form-urlencoded parsing),
+ * truncating or mutating the query param value.
+ *
+ * We sanitize the value in-place so Next can receive the full name.
+ */
+function sanitizeQueryParamValue(value: string): string {
+  const withSafePercents = value.replace(/%(?![0-9A-Fa-f]{2})/g, '%25');
 
-    return `${url}${delimiter}exchangeToken=${token}`;
-  }
+  return withSafePercents
+    .replaceAll('+', '%2B')
+    .replaceAll('#', '%23')
+    .replaceAll('&', '%26')
+    .replaceAll(' ', '%20');
+}
+
+function sanitizeQueryParamValueInPath(path: string, paramName: string): string {
+  const key = `${paramName}=`;
+  const keyIdx = path.indexOf(key);
+  if (keyIdx === -1) return path;
+
+  const valueStart = keyIdx + key.length;
+  const remainder = path.slice(valueStart);
+  const delimiterMatch = remainder.match(/&[A-Za-z0-9_.~-]+=/);
+  const endIdx =
+    delimiterMatch && typeof delimiterMatch.index === 'number'
+      ? valueStart + delimiterMatch.index
+      : path.length;
 
+  const before = path.slice(0, valueStart);
+  const value = path.slice(valueStart, endIdx);
+  const after = path.slice(endIdx);
+
+  return `${before}${sanitizeQueryParamValue(value)}${after}`;
+}
+
+export async function GET(request: NextRequest) {
   const parsedParams = queryParamSchema.safeParse(
     Object.fromEntries(request.nextUrl.searchParams)
   );
@@ -64,8 +96,14 @@ export async function GET(request: NextRequest) {
   });
 
   const exchangeToken = await db.saveClientToken(clientToken);
+  const safePath = sanitizeQueryParamValueInPath(
+    sanitizeQueryParamValueInPath(path, 'product_name'),
+    'productName'
+  );
+  const redirectUrl = new URL(safePath, env.APP_ORIGIN);
+  redirectUrl.searchParams.set('exchangeToken', exchangeToken);
 
-  return NextResponse.redirect(new URL(appendExchangeToken(path, exchangeToken), env.APP_ORIGIN), {
+  return NextResponse.redirect(redirectUrl, {
     status: 302,
     statusText: 'Found',
   });
