Angularjs $location.search is not safe to use when passing '#'.

[kaladay]

Describe the bug AngularJS made a mistake where they double-dutied the $location.search() method. In addition to passing a string, it allows a hash. A hash, will utilize the # character (U+0023). It then attempts to map the # to an object.

There is also a security concern with this. If the search included a valid object, then an object may be passed. This is an unknown state that has the uninvestigated potential for exploitation.

This affects all angularjs code and so we should probably check other projects for the same problem. Any string that might include a '#' is a candidate for being fixed.

The solution is to re-encode the # back into a %23. The rest of the process properly encodes the %23 into a # and should be left alone. The problem happens explicitly with the $location.search() call.

To Reproduce Steps to reproduce the behavior:

1. Go to any valid SAGE discover view.
2. Add # to the search and click search.
3. Reload the page.
4. See error.

Expected behavior Reloading the page should be the same as the initial search. There should be no HTTP 400 error code.

Additional context see: https://docs.angularjs.org/api/ng/service/$location#search

This issue report is derived from the spike investigation of #492.

[ghost]

@kaladay what do you mean Angular.js made a mistake by double-dutied the $location.search()?

I think I understand the issue you discovered but do not understand the description of the cause. Could you reference Angular.js code in which the claim is describing?