From d89f6d15a4e1a2fec5767ea065781fdfbe09f549 Mon Sep 17 00:00:00 2001
From: Vasilica Olariu <olariu.vasilica@gmail.com>
Date: Wed, 18 Dec 2024 17:24:14 +0200
Subject: [PATCH] PM-197 - XSS poor validation error handling

---
 src/shared/components/Contentful/Article/Article.jsx        | 2 +-
 src/shared/components/Gigs/GigApply/index.jsx               | 6 +++---
 src/shared/components/TopcoderHeader/Auth/index.jsx         | 2 +-
 src/shared/components/tc-communities/AccessDenied/index.jsx | 2 +-
 src/shared/components/tc-communities/Footer/index.jsx       | 4 ++--
 src/shared/components/tc-communities/Header/index.jsx       | 6 +++---
 src/shared/containers/Dashboard/index.jsx                   | 2 +-
 src/shared/containers/challenge-detail/index.jsx            | 2 +-
 src/shared/containers/tc-communities/Loader.jsx             | 2 +-
 src/shared/utils/tc.js                                      | 2 +-
 10 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/shared/components/Contentful/Article/Article.jsx b/src/shared/components/Contentful/Article/Article.jsx
index d15b08c260..772a0afb0a 100644
--- a/src/shared/components/Contentful/Article/Article.jsx
+++ b/src/shared/components/Contentful/Article/Article.jsx
@@ -139,7 +139,7 @@ class Article extends React.Component {
     } = this.state || {};
     let shareUrl;
     if (isomorphy.isClientSide()) {
-      shareUrl = encodeURIComponent(window.location.href);
+      shareUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
     }
     const description = htmlToText.fromString(
       ReactDOMServer.renderToString(markdown(fields.content)),
diff --git a/src/shared/components/Gigs/GigApply/index.jsx b/src/shared/components/Gigs/GigApply/index.jsx
index a36919c2bf..53d6b557bc 100644
--- a/src/shared/components/Gigs/GigApply/index.jsx
+++ b/src/shared/components/Gigs/GigApply/index.jsx
@@ -36,7 +36,7 @@ export default function GigApply(props) {
     recruitProfile,
     auth,
   } = props;
-  const retUrl = window.location.href;
+  const retUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
   const duration = getCustomField(job.custom_fields, 'Duration');
   const isPlaced = _.find(_.isEmpty(recruitProfile) ? [] : recruitProfile.custom_fields, { field_id: 12 });
   const fetchSkills = useMemo(() => _.debounce((inputValue, callback) => {
@@ -353,9 +353,9 @@ export default function GigApply(props) {
         <div styleName="error">
           <h3>You must be a Topcoder member to apply!</h3>
           <div styleName="cta-buttons">
-            <Link to={`${config.URL.AUTH}/member?retUrl=${encodeURIComponent(retUrl)}`} styleName="primaryBtn">Login</Link>
+            <Link to={`${config.URL.AUTH}/member?retUrl=${retUrl}`} styleName="primaryBtn">Login</Link>
           </div>
-          <p styleName="regTxt">Not a member? Register <a href={`${config.URL.AUTH}/?retUrl=${encodeURIComponent(retUrl)}&mode=signUp&utm_source=gig_listing&regSource=gigs`}>here</a>.</p>
+          <p styleName="regTxt">Not a member? Register <a href={`${config.URL.AUTH}/?retUrl=${retUrl}&mode=signUp&utm_source=gig_listing&regSource=gigs`}>here</a>.</p>
         </div>
       </div>
     </div>
diff --git a/src/shared/components/TopcoderHeader/Auth/index.jsx b/src/shared/components/TopcoderHeader/Auth/index.jsx
index ab8c237b6a..eee206a735 100644
--- a/src/shared/components/TopcoderHeader/Auth/index.jsx
+++ b/src/shared/components/TopcoderHeader/Auth/index.jsx
@@ -28,7 +28,7 @@ export default function Auth({ column }) {
         className="tc-btn-sm tc-btn-default"
         href={`${config.URL.AUTH}/member?utm_source=community-app-main`}
         onClick={(event) => {
-          const retUrl = encodeURIComponent(window.location.href);
+          const retUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
           window.location = `${config.URL.AUTH}/member?retUrl=${retUrl}&utm_source=community-app-main`;
           event.preventDefault();
         }}
diff --git a/src/shared/components/tc-communities/AccessDenied/index.jsx b/src/shared/components/tc-communities/AccessDenied/index.jsx
index a5730d6d97..32952604e6 100644
--- a/src/shared/components/tc-communities/AccessDenied/index.jsx
+++ b/src/shared/components/tc-communities/AccessDenied/index.jsx
@@ -50,7 +50,7 @@ export default function AccessDenied(props) {
               className="tc-btn-md tc-btn-primary"
               href={`${config.URL.AUTH}/member?utm_source=${communityId}`}
               onClick={(event) => {
-                const retUrl = encodeURIComponent(window.location.href);
+                const retUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
                 window.location = `${config.URL.AUTH}/member?retUrl=${retUrl}&utm_source=${communityId}`;
                 event.preventDefault();
               }}
diff --git a/src/shared/components/tc-communities/Footer/index.jsx b/src/shared/components/tc-communities/Footer/index.jsx
index 8f0809a158..4299238d27 100644
--- a/src/shared/components/tc-communities/Footer/index.jsx
+++ b/src/shared/components/tc-communities/Footer/index.jsx
@@ -56,7 +56,7 @@ function Footer({
           <button
             className={theme.btnRegister}
             onClick={() => {
-              const url = encodeURIComponent(window.location.href);
+              const url = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
               window.location = `${config.URL.AUTH}/member/registration?retUrl=${url}&utm_source=${communityId}`;
             }}
             type="button"
@@ -66,7 +66,7 @@ function Footer({
           <button
             className={theme.btnLogin}
             onClick={() => {
-              const url = encodeURIComponent(window.location.href);
+              const url = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
               window.location = `${config.URL.AUTH}/member?retUrl=${url}&utm_source=${communityId}`;
             }}
             type="button"
diff --git a/src/shared/components/tc-communities/Header/index.jsx b/src/shared/components/tc-communities/Header/index.jsx
index b9387978c8..798d595a7a 100644
--- a/src/shared/components/tc-communities/Header/index.jsx
+++ b/src/shared/components/tc-communities/Header/index.jsx
@@ -172,7 +172,7 @@ function Header(props) {
         communityId === 'zurich' ? (
           <PrimaryButton
             onClick={() => {
-              const returnUrl = encodeURIComponent(window.location.href);
+              const returnUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
               window.location = `${config.URL.AUTH}/sso-login/?retUrl=${returnUrl}&utm_source=${communityId}`;
             }}
             size="sm"
@@ -184,7 +184,7 @@ function Header(props) {
         ) : (
           <Button
             onClick={() => {
-              const url = encodeURIComponent(`${window.location.href}?join=${groupIds[0]}`);
+              const url = encodeURIComponent(`${window.location.origin}${window.location.pathname}?join=${groupIds[0]}`);
               window.location = `${config.URL.AUTH}/member?retUrl=${url}&utm_source=${communityId}`;
             }}
             size="sm"
@@ -196,7 +196,7 @@ function Header(props) {
       { hideJoinNow ? null : (
         <PrimaryButton
           onClick={() => {
-            let url = encodeURIComponent(`${window.location.href}?join=${groupIds[0]}`);
+            let url = encodeURIComponent(`${window.location.origin}${window.location.pathname}?join=${groupIds[0]}`);
             url = encodeURIComponent(`${config.URL.AUTH}/member?retUrl=${url}&utm_source=${communityId}`);
             url = encodeURIComponent(url);
             window.location = `${config.URL.AUTH}/member/registration?retUrl=${url}&utm_source=${communityId}`;
diff --git a/src/shared/containers/Dashboard/index.jsx b/src/shared/containers/Dashboard/index.jsx
index 7c38602c2a..97a7e4f7bb 100644
--- a/src/shared/containers/Dashboard/index.jsx
+++ b/src/shared/containers/Dashboard/index.jsx
@@ -42,7 +42,7 @@ function SlashTCContainer(props) {
 
   useEffect(() => {
     if (props.tokenV3 && !isTokenExpired(props.tokenV3)) return;
-    let url = `retUrl=${encodeURIComponent(location.href)}`;
+    let url = `retUrl=${encodeURIComponent(`${window.location.origin}${window.location.pathname}`)}`;
     url = `${config.URL.AUTH}/member?${url}&utm_source=community-app-home-page`;
     location.href = url;
   }, [props.tokenV3]);
diff --git a/src/shared/containers/challenge-detail/index.jsx b/src/shared/containers/challenge-detail/index.jsx
index f5ad01c81d..43221d053d 100644
--- a/src/shared/containers/challenge-detail/index.jsx
+++ b/src/shared/containers/challenge-detail/index.jsx
@@ -327,7 +327,7 @@ class ChallengeDetailPageContainer extends React.Component {
     } = this.props;
     if (!auth.tokenV3) {
       const utmSource = communityId || 'community-app-main';
-      window.location.href = `${config.URL.AUTH}/member?retUrl=${encodeURIComponent(window.location.href)}&utm_source=${utmSource}&regSource=challenges`;
+      window.location.href = `${config.URL.AUTH}/member?retUrl=${encodeURIComponent(`${window.location.origin}${window.location.pathname}`)}&utm_source=${utmSource}&regSource=challenges`;
     } else {
       // Show security reminder to all registrants
       this.setState({
diff --git a/src/shared/containers/tc-communities/Loader.jsx b/src/shared/containers/tc-communities/Loader.jsx
index 5bcb069898..bc8c041e99 100644
--- a/src/shared/containers/tc-communities/Loader.jsx
+++ b/src/shared/containers/tc-communities/Loader.jsx
@@ -42,7 +42,7 @@ class Loader extends React.Component {
       visitorGroups,
     } = this.props;
 
-    const returnUrl = encodeURIComponent(window.location.href);
+    const returnUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
 
     if (!loadingMeta && (
       !meta /* || (Date.now() - meta.timestamp) > MAXAGE */
diff --git a/src/shared/utils/tc.js b/src/shared/utils/tc.js
index c223f2818e..27d2fd8368 100644
--- a/src/shared/utils/tc.js
+++ b/src/shared/utils/tc.js
@@ -212,7 +212,7 @@ export async function getM2mToken() {
  */
 export function goToLogin(utmSource = '') {
   if (isomorphy.isClientSide()) {
-    const retUrl = encodeURIComponent(window.location.href);
+    const retUrl = encodeURIComponent(`${window.location.origin}${window.location.pathname}`);
     window.location = `${config.URL.AUTH}/member?retUrl=${retUrl}&utm_source=${utmSource}`;
   }
 }