decode input

Author: chargome

app/platform-redirect/utils.spec.ts

@@ -29,4 +29,18 @@ describe('sanitizeNext', () => {
   it('should return an empty string for paths with colons', () => {
     expect(sanitizeNext('/path:to/resource')).toBe('');
   });
+
+  it('should return an empty string for the root path', () => {
+    expect(sanitizeNext('/')).toBe('');
+  });
+
+  it('should decode URL encoded characters', () => {
+    expect(sanitizeNext('/path%2Fwith%2Fslashes')).toBe('/path/with/slashes');
+  });
+
+  it('should return an empty string for a malformed URI component', () => {
+    const input = '%E0%A4%A'; // Malformed URI
+    const expectedOutput = '';
+    expect(sanitizeNext(input)).toBe(expectedOutput);
+  });
 });

app/platform-redirect/utils.ts

@@ -1,5 +1,13 @@
 export const sanitizeNext = (next: string) => {
-  let sanitizedNext = next;
+  // Safely decode URI component
+  let sanitizedNext: string;
+  try {
+    sanitizedNext = decodeURIComponent(next);
+  } catch (e) {
+    // Return empty string if decoding fails
+    return '';
+  }
+
   // Validate that next is an internal path
   if (
     sanitizedNext.startsWith('//') ||
@@ -21,5 +29,5 @@ export const sanitizeNext = (next: string) => {
   // Only allow alphanumeric, hyphens
   sanitizedNext = pathname.replace(/[^\w\-\/]/g, '');
 
-  return sanitizedNext;
+  return sanitizedNext === '/' ? '' : sanitizedNext;
 };