fix(categories): keep Top Categories colors when category query contains encoded segments (#781)

TimeToBuildBob · web-flow · commit f2d03963069d · 2026-03-23T00:37:46.000+01:00
* fix(categories): decode URL-encoded segments in category color lookup

* fix(categories): apply URL-decode normalization to get_category_score

Same URL-encoding vulnerability existed in get_category_score as was
fixed in get_category_color. Encoded segments like 'Work%20Project'
would fail to match stored decoded names and silently return score 0.

Adds a regression test mirroring the one for get_category_color.

* refactor(categories): extract normalizeSegments helper to remove duplication
diff --git a/src/stores/categories.ts b/src/stores/categories.ts
@@ -33,6 +33,18 @@ function getScoreFromCategory(c: Category, allCats: Category[]): number {
   }
 }
 
+// Normalize URL-encoded category segments (e.g. "Work%20Project" → "Work Project").
+// Route query params can arrive encoded while category names are stored decoded.
+function normalizeSegments(cat: string[]): string[] {
+  return (cat || []).map(segment => {
+    try {
+      return decodeURIComponent(segment);
+    } catch {
+      return segment;
+    }
+  });
+}
+
 export const useCategoryStore = defineStore('categories', {
   state: (): State => ({
     classes: [],
@@ -99,12 +111,12 @@ export const useCategoryStore = defineStore('categories', {
     },
     get_category_color() {
       return (cat: string[]): string => {
-        return getColorFromCategory(this.get_category(cat), this.classes);
+        return getColorFromCategory(this.get_category(normalizeSegments(cat)), this.classes);
       };
     },
     get_category_score() {
       return (cat: string[]): number => {
-        return getScoreFromCategory(this.get_category(cat), this.classes);
+        return getScoreFromCategory(this.get_category(normalizeSegments(cat)), this.classes);
       };
     },
     category_select() {
diff --git a/test/unit/store/categories.test.node.ts b/test/unit/store/categories.test.node.ts
@@ -125,4 +125,36 @@ describe('categories store', () => {
       1
     );
   });
+
+  test('get_category_color decodes URL-encoded category segments', () => {
+    categoryStore.load([
+      {
+        name: ['Work Project'],
+        rule: { type: 'regex', regex: 'work-project' },
+        data: { color: '#123456' },
+      } as Category,
+    ]);
+
+    const decoded = categoryStore.get_category_color(['Work Project']);
+    const encoded = categoryStore.get_category_color(['Work%20Project']);
+
+    expect(decoded).toEqual('#123456');
+    expect(encoded).toEqual('#123456');
+  });
+
+  test('get_category_score decodes URL-encoded category segments', () => {
+    categoryStore.load([
+      {
+        name: ['Work Project'],
+        rule: { type: 'regex', regex: 'work-project' },
+        data: { score: 42 },
+      } as Category,
+    ]);
+
+    const decoded = categoryStore.get_category_score(['Work Project']);
+    const encoded = categoryStore.get_category_score(['Work%20Project']);
+
+    expect(decoded).toEqual(42);
+    expect(encoded).toEqual(42);
+  });
 });
