@braintree/sanitize-url - npm Package Compare versions

Comparing version 4.1.1 to 5.0.0

CHANGELOG.md

		@@ -0,1 +1,5 @@
		# 5.0.0

		- Sanitize vbscript urls (thanks @vicnicius)

		# 4.1.1
		@@ -2,0 +6,0 @@

dist/index.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.sanitizeUrl = void 0;
		var invalidProtocolRegex = /^(%20\|\s)*(javascript\|data)/im;
		var invalidProtocolRegex = /^(%20\|\s)*(javascript\|data\|vbscript)/im;
		var ctrlCharactersRegex = /[^\x20-\x7EÀ-ž]/gim;
		@@ -6,0 +6,0 @@ var urlSchemeRegex = /^([^:]+):/gm;

package.json

		{
		"name": "@braintree/sanitize-url",
		"version": "4.1.1",
		"version": "5.0.0",
		"description": "A url sanitizer",
		@@ -27,9 +27,9 @@ "main": "dist/index.js",
		"devDependencies": {
		"@types/jest": "^26.0.4",
		"@types/jest": "^26.0.13",
		"chai": "^4.1.0",
		"eslint": "^7.4.0",
		"eslint-config-braintree": "^5.0.0-typescript-prep-rc.17",
		"jest": "^26.1.0",
		"prettier": "^2.0.5",
		"ts-jest": "^26.1.3",
		"eslint": "^7.8.1",
		"eslint-config-braintree": "^5.0.0-typescript-prep-rc.18",
		"jest": "^26.4.2",
		"prettier": "^2.1.1",
		"ts-jest": "^26.3.0",
		"typescript": "^3.9.7"
		@@ -36,0 +36,0 @@ },

src/__tests__/test.ts

		@@ -83,2 +83,32 @@ /* eslint-disable no-script-url */

		it("replaces VBscript urls with about:blank", () => {
		expect(sanitizeUrl("vbscript:msgbox('XSS')")).toBe("about:blank");
		});

		it("disregards capitalization for VBscript urls", () => {
		expect(sanitizeUrl("vbScrIpT:mSGBOX('XSS')")).toBe("about:blank");
		});

		it("ignores ctrl characters in VBscript urls", () => {
		expect(sanitizeUrl(decodeURIComponent("VbScRiP%0at:msgbox('XSS')"))).toBe(
		"about:blank"
		);
		});

		it("replaces VBscript urls with about:blank when VBscript url begins with %20", () => {
		expect(sanitizeUrl("%20%20%20%20vbscript:msgbox('XSS')")).toBe(
		"about:blank"
		);
		});

		it("replaces VBScript urls with about:blank when VBscript url begins with s", () => {
		expect(sanitizeUrl(" vbscript:msgbox('XSS')")).toBe("about:blank");
		});

		it("does not replace VBscript: if it is not in the scheme of the URL", () => {
		expect(sanitizeUrl("http://example.com#whatisvbscript:foo")).toBe(
		"http://example.com#whatisvbscript:foo"
		);
		});

		it("does not alter http URLs", () => {
		@@ -85,0 +115,0 @@ expect(sanitizeUrl("http://example.com/path/to:something")).toBe(

src/index.ts

		@@ -1,2 +0,2 @@
		const invalidProtocolRegex = /^(%20\|\s)*(javascript\|data)/im;
		const invalidProtocolRegex = /^(%20\|\s)*(javascript\|data\|vbscript)/im;
		const ctrlCharactersRegex = /[^\x20-\x7EÀ-ž]/gim;
		@@ -3,0 +3,0 @@ const urlSchemeRegex = /^([^:]+):/gm;

New alerts