From bfbcd31f352f3ce4e6dfcdd0c45ee56bd5610f29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Ku=C3=9Fowski?= <c.kussowski@famedly.com>
Date: Sun, 22 Feb 2026 12:27:58 +0100
Subject: [PATCH] chore: Sanitize hash param for oidc

---
 lib/main.dart | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/main.dart b/lib/main.dart
index d173f77e9..62355e518 100644
--- a/lib/main.dart
+++ b/lib/main.dart
@@ -1,6 +1,7 @@
 import 'dart:isolate';
 import 'dart:ui';
 
+import 'package:flutter/foundation.dart';
 import 'package:flutter/material.dart';
 
 import 'package:collection/collection.dart';
@@ -8,6 +9,7 @@ import 'package:flutter_secure_storage/flutter_secure_storage.dart';
 import 'package:flutter_vodozemac/flutter_vodozemac.dart' as vod;
 import 'package:matrix/matrix.dart';
 import 'package:shared_preferences/shared_preferences.dart';
+import 'package:universal_html/universal_html.dart' as web;
 
 import 'package:fluffychat/config/app_config.dart';
 import 'package:fluffychat/utils/client_manager.dart';
@@ -30,6 +32,14 @@ void main() async {
     await waitForPushIsolateDone();
   }
 
+  // Sanitize hash for OIDC:
+  if (kIsWeb) {
+    final hash = web.window.location.hash;
+    if (hash.isNotEmpty && !hash.startsWith('/')) {
+      web.window.location.hash = hash.replaceFirst('#', '#?');
+    }
+  }
+
   // Our background push shared isolate accesses flutter-internal things very early in the startup proccess
   // To make sure that the parts of flutter needed are started up already, we need to ensure that the
   // widget bindings are initialized already.