PDCL-12429 Return an empty string when invalid encoded URI components are encountered.

src/components/Identity/injectAddQueryStringIdentityToPayload.js

@@ -15,6 +15,7 @@ governing permissions and limitations under the License.
 import { queryString } from "../../utils/index.js";
 import queryStringIdentityParam from "../../constants/queryStringIdentityParam.js";
 import ecidNamespace from "../../constants/ecidNamespace.js";
+import decodeUriComponentSafely from "../../utils/decodeUriComponentSafely.js";
 
 const LINK_TTL_SECONDS = 300; // 5 minute link time to live
 
@@ -46,8 +47,7 @@ export default ({ locationSearch, dateProvider, orgId, logger }) =>
     // We are using MCMID and MCORGID to be compatible with Visitor.
     const ts = parseInt(properties.TS, 10);
     const mcmid = properties.MCMID;
-    const mcorgid = decodeURIComponent(properties.MCORGID);
-
+    const mcorgid = decodeUriComponentSafely(properties.MCORGID);
     if (
       // When TS is not specified or not a number, the following inequality returns false.
       // All inequalities with NaN variables are false.

src/components/Personalization/in-app-message-actions/utils.js

@@ -11,6 +11,7 @@ governing permissions and limitations under the License.
 */
 import { isNonEmptyArray, queryString } from "../../../utils/index.js";
 import { removeNode, selectNodes } from "../../../utils/dom/index.js";
+import decodeUriComponentSafely from "../../../utils/decodeUriComponentSafely.js";
 
 export const removeElementById = (id) => {
   const element = selectNodes(`#${id}`, document);
@@ -42,7 +43,7 @@ export const parseAnchor = (anchor) => {
   if (isNonEmptyArray(hrefParts)) {
     const queryParams = queryString.parse(hrefParts[1]);
     interaction = queryParams.interaction || "";
-    link = decodeURIComponent(queryParams.link || "");
+    link = decodeUriComponentSafely(queryParams.link || "");
   }
   return {
     action,

src/utils/decodeUriComponentSafely.js

@@ -0,0 +1,19 @@
+/*
+Copyright 2024 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+OF ANY KIND, either express or implied. See the License for the specific language
+governing permissions and limitations under the License.
+*/
+
+export default (v) => {
+  try {
+    return decodeURIComponent(v);
+  } catch {
+    return "";
+  }
+};

test/functional/specs/MediaCollection/MA1.js

@@ -77,7 +77,7 @@ const assertSessionStartedInAutoPingMode = async (alloy) => {
       };
     },
   });
-  await responseStatus(networkLogger.edgeEndpointLogs.requests, 200);
+  await responseStatus(networkLogger.edgeEndpointLogs.requests, [200, 207]);
   await t.expect(networkLogger.edgeEndpointLogs.requests.length).eql(1);
 
   const createSession = networkLogger.edgeEndpointLogs.requests[0];

test/functional/specs/MediaCollection/MA2.js

@@ -57,7 +57,7 @@ test.meta({
 
 const assertSessionStarted = async () => {
   await t.expect(networkLogger.edgeEndpointLogs.count(() => true)).gte(1);
-  await responseStatus(networkLogger.edgeEndpointLogs.requests, 200);
+  await responseStatus(networkLogger.edgeEndpointLogs.requests, [200, 207]);
   await t.expect(networkLogger.edgeEndpointLogs.requests.length).eql(1);
 
   const createSession = networkLogger.edgeEndpointLogs.requests[0];

test/functional/specs/MediaCollection/MA3.js

@@ -67,7 +67,7 @@ const assertSessionStarted = async (alloy) => {
       },
     },
   });
-  await responseStatus(networkLogger.edgeEndpointLogs.requests, 200);
+  await responseStatus(networkLogger.edgeEndpointLogs.requests, [200, 207]);
   await t.expect(networkLogger.edgeEndpointLogs.requests.length).eql(1);
 
   const createSession = networkLogger.edgeEndpointLogs.requests[0];

test/functional/specs/Personalization/C17409728.js

@@ -348,7 +348,7 @@ test("Test C17409728: Automatically sends interact event when using applyProposi
 
   await t.click("#page-header");
 
-  await responseStatus(edgeEndpointLogs.requests, [200, 204]);
+  await responseStatus(edgeEndpointLogs.requests, [200, 204, 207]);
   await t.expect(edgeEndpointLogs.count(() => true)).eql(1);
 
   // TODO: Testcafe no longer captures the request body for sendBeacon requests.

test/unit/specs/utils/decodeUriComponentSafely.spec.js

@@ -0,0 +1,27 @@
+/*
+Copyright 2020 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+OF ANY KIND, either express or implied. See the License for the specific language
+governing permissions and limitations under the License.
+*/
+
+import decodeUriComponentSafely from "../../../../src/utils/decodeUriComponentSafely.js";
+
+describe("decodeUriComponentSafely", () => {
+  it("decodes a uri encoded string", () => {
+    expect(decodeUriComponentSafely("%3Fx%3Dtest")).toEqual("?x=test");
+  });
+
+  it("returns an empty string when an invalid encoded URI component is provided", () => {
+    expect(
+      decodeUriComponentSafely(
+        "MCORGID%3D5BFE274A5F6980A50A495C08%2540AdobeOrg%ttt",
+      ),
+    ).toEqual("");
+  });
+});