Potential fix for code scanning alert no. 27: DOM text reinterpreted as HTML

[dmetzner]

Potential fix for https://github.com/Catrobat/Catroweb/security/code-scanning/27

In general, the fix is to avoid passing unvalidated DOM text directly into a navigation API. Instead, treat the value as an opaque identifier, validate it strictly (e.g., allow only IDs or a limited pattern), and then safely construct the URL. This both prevents any possibility of HTML/JS interpretation through odd URL schemes and ensures that window.location.assign only ever receives an expected, well-formed path.

For this code, the best minimal fix without changing functionality is to sanitize the id argument inside redirectUser before it is interpolated into `project/${id}`. Because id is used as a path segment, we can (a) restrict its character set to a safe subset (alphanumerics, dash, underscore, etc.) and (b) URL-encode it when building the final URL. This preserves the behavior for well-formed IDs while neutralizing potentially malicious values from data-notification-redirect.

Concretely:

• In redirectUser(type, id), introduce a small helper that:
  • Returns an empty string if id is not a string.
  • Strips all characters except a safe whitelist (for example: A-Za-z0-9_-).
  • Applies encodeURIComponent before concatenating into the path.
• Use the sanitized value in window.location.assign instead of the raw id.

All changes are confined to assets/User/NotificationsPage.js in the redirectUser method. No new imports or external libraries are needed; we can rely on built‑in JavaScript functions like encodeURIComponent and String.prototype.replace.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.