Skip to content

Commit

Permalink
fix: decode uri and sanitize whitespace
Browse files Browse the repository at this point in the history
  • Loading branch information
ibooker committed May 8, 2024
1 parent 1c0be2b commit cf7dbb8
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 6 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# CHANGELOG

## 7.0.1

- Improve sanitization of HTML entities

## 7.0.0
Expand Down
7 changes: 6 additions & 1 deletion src/__tests__/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,12 @@ describe("sanitizeUrl", () => {
"javascri\npt:alert('xss')",
"javascri\rpt:alert('xss')",
"javascri\tpt:alert('xss')",
"javascrip\x74t:alert('XSS')",
"javascrip\\%74t:alert('XSS')",
"javascrip%5c%72t:alert()",
"javascrip%5Ctt:alert()",
"javascrip%255Ctt:alert()",
"javascrip%25%35Ctt:alert()",
"javascrip%25%35%43tt:alert()",
];

attackVectors.forEach((vector) => {
Expand Down
3 changes: 2 additions & 1 deletion src/constants.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ export const htmlCtrlEntityRegex = /&(newline|tab);/gi;
export const ctrlCharactersRegex =
/[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
export const urlSchemeRegex = /^.+(:|:)/gim;
export const whitespaceEscapeChars = /\\[nrt]/g;
export const whitespaceEscapeCharsRegex =
/(\\|%5[cC])((%(6[eE]|72|74))|[nrt])/g;
export const relativeFirstCharacters = [".", "/"];
export const BLANK_URL = "about:blank";
10 changes: 6 additions & 4 deletions src/index.ts
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
import {
BLANK_URL,
ctrlCharactersRegex,
hexCodesRegex,

Check warning on line 4 in src/index.ts

View workflow job for this annotation

GitHub Actions / Unit Tests on Ubuntu

'hexCodesRegex' is defined but never used
htmlCtrlEntityRegex,
htmlEntitiesRegex,
invalidProtocolRegex,
relativeFirstCharacters,
urlSchemeRegex,
whitespaceEscapeChars,
whitespaceEscapeCharsRegex,
} from "./constants";

function isRelativeUrlWithoutProtocol(url: string): boolean {
Expand All @@ -26,18 +27,19 @@ export function sanitizeUrl(url?: string): string {
return BLANK_URL;
}
let charsToDecode;
let decodedUrl = url;
let decodedUrl = decodeURIComponent(url);

do {
decodedUrl = decodeHtmlCharacters(decodedUrl)
.replace(htmlCtrlEntityRegex, "")
.replace(ctrlCharactersRegex, "")
.replace(whitespaceEscapeChars, "")
.replace(whitespaceEscapeCharsRegex, "")
.trim();
charsToDecode =
decodedUrl.match(ctrlCharactersRegex) ||
decodedUrl.match(htmlEntitiesRegex) ||
decodedUrl.match(htmlCtrlEntityRegex) ||
decodedUrl.match(whitespaceEscapeChars);
decodedUrl.match(whitespaceEscapeCharsRegex);
} while (charsToDecode && charsToDecode.length > 0);
const sanitizedUrl = decodedUrl;
if (!sanitizedUrl) {
Expand Down

0 comments on commit cf7dbb8

Please sign in to comment.