Description
Bug: getHashFragmentParams incorrectly decodes entire hash fragment
Description
The UrlHelperService.getHashFragmentParams method is prematurely decoding the entire URL hash fragment with decodeURIComponent before parsing individual parameters. This causes issues when parameter values contain encoded special characters, particularly with Azure AD and implicit flow.
Steps to reproduce
- Use implicit flow with Azure AD
- Perform a silent refresh operation
- When silent refresh fails, Azure AD returns a hash fragment containing parameters including
error_uriwhich contains encoded URL characters
Current behavior
The hash fragment from Azure AD like:
#error=login_required&error_description=AADSTS50058%3a+A+silent+sign-in+request...&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d50058&state=...
Is decoded prematurely with:
hash = decodeURIComponent(hash);This decodes error_uri value to include a literal ? character, which then breaks the subsequent parsing because the question mark is interpreted as a parameter delimiter.
Expected behavior
The hash fragment should not be decoded as a whole. Instead, decoding should only be applied to individual parameters after they've been properly parsed into key-value pairs, which is already handled in the parseQueryString method:
key = decodeURIComponent(escapedKey);
value = decodeURIComponent(escapedValue);Fix suggestion
Remove the line hash = decodeURIComponent(hash); from the getHashFragmentParams method, allowing parseQueryString to handle decoding each parameter individually.