@braintree/sanitize-url
Advanced tools
Comparing version 2.0.0 to 2.0.1
CHANGELOG | ||
========= | ||
## 2.0.1 | ||
* Sanitize malicious URLs that begin with %20 | ||
## 2.0.0 | ||
@@ -5,0 +8,0 @@ * sanitize data: urls |
20
index.js
'use strict'; | ||
var jsRegex = /^javascript:.*/im; | ||
var dataRegex = /^data:.*/im; | ||
var invalidPrototcolRegex = /^(%20)*(javascript|data)/im; | ||
var ctrlCharactersRegex = /[^\x20-\x7E]/gmi; | ||
var urlSchemeRegex = /^([^:]+):/gm; | ||
function sanitizeUrl(url) { | ||
var urlScheme; | ||
var sanitizedUrl = url.replace(ctrlCharactersRegex, ''); | ||
var urlSchemeParseResults = sanitizedUrl.match(urlSchemeRegex); | ||
return sanitizedUrl | ||
.replace(jsRegex, 'about:blank') | ||
.replace(dataRegex, 'about:blank'); | ||
if (!urlSchemeParseResults) { | ||
return 'about:blank'; | ||
} | ||
urlScheme = urlSchemeParseResults[0]; | ||
if (invalidPrototcolRegex.test(urlScheme)) { | ||
return 'about:blank'; | ||
} | ||
return sanitizedUrl; | ||
} | ||
@@ -14,0 +24,0 @@ |
{ | ||
"name": "@braintree/sanitize-url", | ||
"version": "2.0.0", | ||
"version": "2.0.1", | ||
"description": "A url sanitizer", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -19,2 +19,10 @@ 'use strict'; | ||
it('replaces javascript urls with about:blank when javascript url begins with %20', function () { | ||
expect(sanitizeUrl('%20%20%20%20javascript:alert(document.domain)')).to.equal('about:blank'); | ||
}); | ||
it('does not replace javascript: if it is not in the scheme of the URL', function () { | ||
expect(sanitizeUrl('http://example.com#myjavascript:foo')).to.equal('http://example.com#myjavascript:foo'); | ||
}); | ||
it('replaces data urls with about:blank', function () { | ||
@@ -24,2 +32,6 @@ expect(sanitizeUrl('data:text/html;basfe64,PH%3Cscript%3Ealert(document.domain)%3C/script%3E')).to.equal('about:blank'); | ||
it('replaces data urls with about:blank when data url begins with %20', function () { | ||
expect(sanitizeUrl('%20%20%20%20data:text/html;basfe64,PH%3Cscript%3Ealert(document.domain)%3C/script%3E')).to.equal('about:blank'); | ||
}); | ||
it('disregards capitalization for data urls', function () { | ||
@@ -32,2 +44,22 @@ expect(sanitizeUrl('dAtA:text/html;basfe64,PH%3Cscript%3Ealert(document.domain)%3C/script%3E')).to.equal('about:blank'); | ||
}); | ||
it('does not alter http URLs', function () { | ||
expect(sanitizeUrl('http://example.com/path/to:something')).to.equal('http://example.com/path/to:something'); | ||
}); | ||
it('does not alter http URLs with ports', function () { | ||
expect(sanitizeUrl('http://example.com:4567/path/to:something')).to.equal('http://example.com:4567/path/to:something'); | ||
}); | ||
it('does not alter https URLs', function () { | ||
expect(sanitizeUrl('https://example.com')).to.equal('https://example.com'); | ||
}); | ||
it('does not alter https URLs with ports', function () { | ||
expect(sanitizeUrl('https://example.com:4567/path/to:something')).to.equal('https://example.com:4567/path/to:something'); | ||
}); | ||
it('does not alter deep-link urls', function () { | ||
expect(sanitizeUrl('com.braintreepayments.demo://example')).to.equal('com.braintreepayments.demo://example'); | ||
}); | ||
}); |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
6456
67