@braintree/sanitize-url - npm Package Compare versions

Comparing version 2.0.0 to 2.0.1

CHANGELOG.md

 CHANGELOG
 =========
 
+## 2.0.1
+* Sanitize malicious URLs that begin with %20
+
 ## 2.0.0
@@ -5,0 +8,0 @@ * sanitize data: urls

index.js

 'use strict';
 
-var jsRegex = /^javascript:.*/im;
-var dataRegex = /^data:.*/im;
+var invalidPrototcolRegex = /^(%20)*(javascript|data)/im;
 var ctrlCharactersRegex = /[^\x20-\x7E]/gmi;
+var urlSchemeRegex = /^([^:]+):/gm;
 
 function sanitizeUrl(url) {
+  var urlScheme;
   var sanitizedUrl = url.replace(ctrlCharactersRegex, '');
+  var urlSchemeParseResults = sanitizedUrl.match(urlSchemeRegex);
 
-  return sanitizedUrl
-    .replace(jsRegex, 'about:blank')
-    .replace(dataRegex, 'about:blank');
+  if (!urlSchemeParseResults) {
+    return 'about:blank';
+  }
+
+  urlScheme = urlSchemeParseResults[0];
+
+  if (invalidPrototcolRegex.test(urlScheme)) {
+    return 'about:blank';
+  }
+
+  return sanitizedUrl;
 }
@@ -14,0 +24,0 @@

package.json

 {
   "name": "@braintree/sanitize-url",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "A url sanitizer",
@@ -5,0 +5,0 @@ "main": "index.js",

test/test.js

@@ -19,2 +19,10 @@ 'use strict';
 
+  it('replaces javascript urls with about:blank when javascript url begins with %20', function () {
+    expect(sanitizeUrl('%20%20%20%20javascript:alert(document.domain)')).to.equal('about:blank');
+  });
+
+  it('does not replace javascript: if it is not in the scheme of the URL', function () {
+    expect(sanitizeUrl('http://example.com#myjavascript:foo')).to.equal('http://example.com#myjavascript:foo');
+  });
+
   it('replaces data urls with about:blank', function () {
@@ -24,2 +32,6 @@ expect(sanitizeUrl('data:text/html;basfe64,PH%3Cscript%3Ealert(document.domain)%3C/script%3E')).to.equal('about:blank');
 
+  it('replaces data urls with about:blank when data url begins with %20', function () {
+    expect(sanitizeUrl('%20%20%20%20data:text/html;basfe64,PH%3Cscript%3Ealert(document.domain)%3C/script%3E')).to.equal('about:blank');
+  });
+
   it('disregards capitalization for data urls', function () {
@@ -32,2 +44,22 @@ expect(sanitizeUrl('dAtA:text/html;basfe64,PH%3Cscript%3Ealert(document.domain)%3C/script%3E')).to.equal('about:blank');
   });
+
+  it('does not alter http URLs', function () {
+    expect(sanitizeUrl('http://example.com/path/to:something')).to.equal('http://example.com/path/to:something');
+  });
+
+  it('does not alter http URLs with ports', function () {
+    expect(sanitizeUrl('http://example.com:4567/path/to:something')).to.equal('http://example.com:4567/path/to:something');
+  });
+
+  it('does not alter https URLs', function () {
+    expect(sanitizeUrl('https://example.com')).to.equal('https://example.com');
+  });
+
+  it('does not alter https URLs with ports', function () {
+    expect(sanitizeUrl('https://example.com:4567/path/to:something')).to.equal('https://example.com:4567/path/to:something');
+  });
+
+  it('does not alter deep-link urls', function () {
+    expect(sanitizeUrl('com.braintreepayments.demo://example')).to.equal('com.braintreepayments.demo://example');
+  });
 });

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

6456

increased by37.98%

Lines of code

67

increased by86.11%

No dependency changes