strip query params when added to route in client linkmanager navigate #2387
Labels
security/high
Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0
Milestone
a micro frontend should not be able to control search query parameters unless it has permissions to do so (https://docs.luigi-project.io/docs/navigation-parameters-reference/?section=clientpermissionsurlparameters).
But currently it seems to be possibel to call:
linkManager().navigate('/some/path?someParam=someValue') and the param is added to the main apps url.
This must be prevented!
-> Encode values of withParams()
linkManager().withParams({bar: "test&t=foo"}).navigate("/search/components")will navigate to /search/components?~bar=test&t=foo.
-> Encode values of addCoreSearchParams()
Expected: In both cases Luigi core encodes the parameters correctly
The text was updated successfully, but these errors were encountered: