fix: improve CSRF token handling and simplify error logging in API services

fix: enhance path validation for login/logout redirection
refactor: streamline pager button text handling and remove unnecessary HTML escaping

Author: ChaosEngine

src/IdentityManager2/Assets/Scripts/App/ttIdm.js

@@ -16,14 +16,14 @@
                     if (config.method && config.method !== 'GET') {
                         try {
                             const rvt = document.querySelector('input[name="__RequestVerificationToken"]');
-                            if (rvt) {
-                                const token = rvt.value;
-                                if (token) {
-                                    if (!config.headers) {
-                                        config.headers = {};
-                                    }
-                                    config.headers.RequestVerificationToken = token;
+                            if (rvt && rvt.value) {
+                                if (!config.headers) {
+                                    config.headers = {};
                                 }
+                                config.headers.RequestVerificationToken = rvt.value;
+                            } else {
+                                // eslint-disable-next-line no-console
+                                console.warn("Anti-forgery token not present in DOM; state-changing request proceeds without CSRF protection.");
                             }
                         } catch (e) {
                             // eslint-disable-next-line no-console
@@ -127,7 +127,7 @@
                         if (resp.status === 403) {
                             throw "You are not authorized to use this service.";
                         } else {
-                            throw resp.data && (resp.data.exceptionMessage || resp.data.message) ||
+                            throw resp.data && resp.data.message ||
                                 "Failed to access IdentityManager API.";
                         }
                     });
@@ -138,7 +138,7 @@
     idmApi.$inject = ["$http", "$q", "PathBase"];
     app.factory("idmApi", idmApi);
 
-    function idmUsers($http, idmApi, $log) {
+    function idmUsers($http, idmApi) {
         function nop() {
         }
 
@@ -149,9 +149,6 @@
         function errorHandler(msg) {
             msg = msg || "Unexpected Error";
             return function (response) {
-                if (response.data.exceptionMessage) {
-                    $log.error(response.data.exceptionMessage);
-                }
                 throw response.data.errors || response.data.message || msg;
             };
         }
@@ -213,10 +210,10 @@
 
         return svc;
     }
-    idmUsers.$inject = ["$http", "idmApi", "$log"];
+    idmUsers.$inject = ["$http", "idmApi"];
     app.factory("idmUsers", idmUsers);
 
-    function idmRoles($http, idmApi, $log) {
+    function idmRoles($http, idmApi) {
         function nop() {
         }
 
@@ -227,9 +224,6 @@
         function errorHandler(msg) {
             msg = msg || "Unexpected Error";
             return function(response) {
-                if (response.data.exceptionMessage) {
-                    $log.error(response.data.exceptionMessage);
-                }
                 throw response.data.errors || response.data.message || msg;
             };
         }
@@ -273,7 +267,7 @@
 
         return svc;
     }
-    idmRoles.$inject = ["$http", "idmApi", "$log"];
+    idmRoles.$inject = ["$http", "idmApi"];
     app.factory("idmRoles", idmRoles);
 })(angular);
 

src/IdentityManager2/Assets/Scripts/App/ttIdmApp.js

@@ -53,16 +53,21 @@
 
         load();
 
+        function isSafePath(path) {
+            // Must start with a single '/' to prevent open redirect via protocol-relative URLs or javascript: schemes
+            return typeof path === 'string' && path.length > 1 && path.charAt(0) === '/' && path.charAt(1) !== '/';
+        }
+
         $rootScope.login = function () {
             idmErrorService.clear();
-
-            $window.location = PathBase + (LoginPath || "/api/login");
+            const path = isSafePath(LoginPath) ? LoginPath : "/api/login";
+            $window.location = PathBase + path;
         };
 
         $rootScope.logout = function() {
             idmErrorService.clear();
-
-            $window.location = PathBase + (LogoutPath || "/api/logout");
+            const path = isSafePath(LogoutPath) ? LogoutPath : "/api/logout";
+            $window.location = PathBase + path;
         };
     }
     LayoutCtrl.$inject = ["$rootScope", "PathBase", "idmApi", "$location", "$window", "idmErrorService", "ShowLoginButton",

src/IdentityManager2/Assets/Scripts/App/ttIdmUI.js

@@ -173,33 +173,10 @@
     ttPagerSummary.$inject = ["PathBase"];
     app.directive("ttPagerSummary", ttPagerSummary);
 
-    function idmPager($sce) {
-        function escapeHtml(value) {
-            return String(value)
-                .replace(/&/g, "&")
-                .replace(/</g, "&lt;")
-                .replace(/>/g, "&gt;")
-                .replace(/"/g, "&quot;")
-                .replace(/'/g, "&#39;");
-        }
-
-        var allowedPagerHtml = {
-            "<strong>&lt;&lt;</strong>": true,
-            "<strong>&lt;</strong>": true,
-            "<strong>&gt;</strong>": true,
-            "<strong>&gt;&gt;</strong>": true
-        };
-
-        function trustPagerText(text) {
-            if (allowedPagerHtml[text]) {
-                return $sce.trustAsHtml(text);
-            }
-            return $sce.trustAsHtml(escapeHtml(text));
-        }
-
+    function idmPager() {
         function Pager(result, pageSize) {
             function PagerButton(text, page, enabled, current) {
-                this.text = trustPagerText(text);
+                this.text = String(text);
                 this.page = page;
                 this.enabled = enabled;
                 this.current = current;
@@ -236,19 +213,19 @@
             var nextPage = this.currentPage + pageSkip;
             if (nextPage > this.totalPages) nextPage = this.totalPages;
 
-            this.buttons.push(new PagerButton("<strong>&lt;&lt;</strong>", 1, endButton > totalButtons));
-            this.buttons.push(new PagerButton("<strong>&lt;</strong>", prevPage, endButton > totalButtons));
+            this.buttons.push(new PagerButton("«", 1, endButton > totalButtons));
+            this.buttons.push(new PagerButton("‹", prevPage, endButton > totalButtons));
 
             for (var i = startButton; i <= endButton; i++) {
                 this.buttons.push(new PagerButton(i, i, true, i === this.currentPage));
             }
 
-            this.buttons.push(new PagerButton("<strong>&gt;</strong>", nextPage, endButton < this.totalPages));
-            this.buttons.push(new PagerButton("<strong>&gt;&gt;</strong>", this.totalPages, endButton < this.totalPages));
+            this.buttons.push(new PagerButton("›", nextPage, endButton < this.totalPages));
+            this.buttons.push(new PagerButton("»", this.totalPages, endButton < this.totalPages));
         }
         return Pager;
     }
-    idmPager.$inject = ["$sce"];
+    idmPager.$inject = [];
     app.service("idmPager", idmPager);
 
     function ttConfirmClick() {

src/IdentityManager2/Assets/Scripts/Bundle.js

@@ -1,6 +1,6 @@
 <ul class="center-block pagination">
     <li ng-repeat="button in pager.buttons"
         ng-class="!button.enabled ? 'disabled' : (button.current ? 'active':'')">
-        <a href="#/{{path}}/list/{{pager.filter}}/{{button.page}}" ng-bind-html="button.text"></a>
+        <a href="#/{{path}}/list/{{pager.filter}}/{{button.page}}" ng-bind="button.text"></a>
     </li>
 </ul>