PM-197 - XSS poor validation error handling

Author: vas3a

src/shared/components/Contentful/Article/Article.jsx

@@ -139,7 +139,7 @@ class Article extends React.Component {
     } = this.state || {};
     let shareUrl;
     if (isomorphy.isClientSide()) {
-      shareUrl = encodeURIComponent(window.location.href);
+      shareUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
     }
     const description = htmlToText.fromString(
       ReactDOMServer.renderToString(markdown(fields.content)),

src/shared/components/Gigs/GigApply/index.jsx

@@ -36,7 +36,7 @@ export default function GigApply(props) {
     recruitProfile,
     auth,
   } = props;
-  const retUrl = window.location.href;
+  const retUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
   const duration = getCustomField(job.custom_fields, 'Duration');
   const isPlaced = _.find(_.isEmpty(recruitProfile) ? [] : recruitProfile.custom_fields, { field_id: 12 });
   const fetchSkills = useMemo(() => _.debounce((inputValue, callback) => {
@@ -353,9 +353,9 @@ export default function GigApply(props) {
         <div styleName="error">
           <h3>You must be a Topcoder member to apply!</h3>
           <div styleName="cta-buttons">
-            <Link to={`${config.URL.AUTH}/member?retUrl=${encodeURIComponent(retUrl)}`} styleName="primaryBtn">Login</Link>
+            <Link to={`${config.URL.AUTH}/member?retUrl=${retUrl}`} styleName="primaryBtn">Login</Link>
           </div>
-          <p styleName="regTxt">Not a member? Register <a href={`${config.URL.AUTH}/?retUrl=${encodeURIComponent(retUrl)}&mode=signUp&utm_source=gig_listing&regSource=gigs`}>here</a>.</p>
+          <p styleName="regTxt">Not a member? Register <a href={`${config.URL.AUTH}/?retUrl=${retUrl}&mode=signUp&utm_source=gig_listing&regSource=gigs`}>here</a>.</p>
         </div>
       </div>
     </div>

src/shared/components/TopcoderHeader/Auth/index.jsx

@@ -28,7 +28,7 @@ export default function Auth({ column }) {
         className="tc-btn-sm tc-btn-default"
         href={`${config.URL.AUTH}/member?utm_source=community-app-main`}
         onClick={(event) => {
-          const retUrl = encodeURIComponent(window.location.href);
+          const retUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
           window.location = `${config.URL.AUTH}/member?retUrl=${retUrl}&utm_source=community-app-main`;
           event.preventDefault();
         }}

src/shared/components/tc-communities/AccessDenied/index.jsx

@@ -50,7 +50,7 @@ export default function AccessDenied(props) {
               className="tc-btn-md tc-btn-primary"
               href={`${config.URL.AUTH}/member?utm_source=${communityId}`}
               onClick={(event) => {
-                const retUrl = encodeURIComponent(window.location.href);
+                const retUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
                 window.location = `${config.URL.AUTH}/member?retUrl=${retUrl}&utm_source=${communityId}`;
                 event.preventDefault();
               }}

src/shared/components/tc-communities/Footer/index.jsx

@@ -56,7 +56,7 @@ function Footer({
           <button
             className={theme.btnRegister}
             onClick={() => {
-              const url = encodeURIComponent(window.location.href);
+              const url = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
               window.location = `${config.URL.AUTH}/member/registration?retUrl=${url}&utm_source=${communityId}`;
             }}
             type="button"
@@ -66,7 +66,7 @@ function Footer({
           <button
             className={theme.btnLogin}
             onClick={() => {
-              const url = encodeURIComponent(window.location.href);
+              const url = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
               window.location = `${config.URL.AUTH}/member?retUrl=${url}&utm_source=${communityId}`;
             }}
             type="button"

src/shared/components/tc-communities/Header/index.jsx

@@ -172,7 +172,7 @@ function Header(props) {
         communityId === 'zurich' ? (
           <PrimaryButton
             onClick={() => {
-              const returnUrl = encodeURIComponent(window.location.href);
+              const returnUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
               window.location = `${config.URL.AUTH}/sso-login/?retUrl=${returnUrl}&utm_source=${communityId}`;
             }}
             size="sm"
@@ -184,7 +184,7 @@ function Header(props) {
         ) : (
           <Button
             onClick={() => {
-              const url = encodeURIComponent(`${window.location.href}?join=${groupIds[0]}`);
+              const url = encodeURIComponent(`${window.location.origin}${window.location.pathname}?join=${groupIds[0]}`);
               window.location = `${config.URL.AUTH}/member?retUrl=${url}&utm_source=${communityId}`;
             }}
             size="sm"
@@ -196,7 +196,7 @@ function Header(props) {
       { hideJoinNow ? null : (
         <PrimaryButton
           onClick={() => {
-            let url = encodeURIComponent(`${window.location.href}?join=${groupIds[0]}`);
+            let url = encodeURIComponent(`${window.location.origin}${window.location.pathname}?join=${groupIds[0]}`);
             url = encodeURIComponent(`${config.URL.AUTH}/member?retUrl=${url}&utm_source=${communityId}`);
             url = encodeURIComponent(url);
             window.location = `${config.URL.AUTH}/member/registration?retUrl=${url}&utm_source=${communityId}`;

src/shared/containers/Dashboard/index.jsx

@@ -42,7 +42,7 @@ function SlashTCContainer(props) {
 
   useEffect(() => {
     if (props.tokenV3 && !isTokenExpired(props.tokenV3)) return;
-    let url = `retUrl=${encodeURIComponent(location.href)}`;
+    let url = `retUrl=${encodeURIComponent(`${window.location.origin}${window.location.pathname}`)}`;
     url = `${config.URL.AUTH}/member?${url}&utm_source=community-app-home-page`;
     location.href = url;
   }, [props.tokenV3]);

src/shared/containers/challenge-detail/index.jsx

@@ -327,7 +327,7 @@ class ChallengeDetailPageContainer extends React.Component {
     } = this.props;
     if (!auth.tokenV3) {
       const utmSource = communityId || 'community-app-main';
-      window.location.href = `${config.URL.AUTH}/member?retUrl=${encodeURIComponent(window.location.href)}&utm_source=${utmSource}&regSource=challenges`;
+      window.location.href = `${config.URL.AUTH}/member?retUrl=${encodeURIComponent(`${window.location.origin}${window.location.pathname}`)}&utm_source=${utmSource}&regSource=challenges`;
     } else {
       // Show security reminder to all registrants
       this.setState({

src/shared/containers/tc-communities/Loader.jsx

@@ -42,7 +42,7 @@ class Loader extends React.Component {
       visitorGroups,
     } = this.props;
 
-    const returnUrl = encodeURIComponent(window.location.href);
+    const returnUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
 
     if (!loadingMeta && (
       !meta /* || (Date.now() - meta.timestamp) > MAXAGE */

src/shared/utils/tc.js

@@ -212,7 +212,7 @@ export async function getM2mToken() {
  */
 export function goToLogin(utmSource = '') {
   if (isomorphy.isClientSide()) {
-    const retUrl = encodeURIComponent(window.location.href);
+    const retUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
     window.location = `${config.URL.AUTH}/member?retUrl=${retUrl}&utm_source=${utmSource}`;
   }
 }