@braintree/sanitize-url
Advanced tools
Comparing version 6.0.0 to 6.0.1
@@ -1,3 +0,10 @@ | ||
# 6.0.0 | ||
# CHANGELOG | ||
## 6.0.1 | ||
- Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized | ||
- Fix issue where urls in the form `javasc	ript:alert('XSS');` were not properly sanitized | ||
## 6.0.0 | ||
**Breaking Changes** | ||
@@ -21,11 +28,11 @@ | ||
# 5.0.2 | ||
## 5.0.2 | ||
- Fix issue where certain invisible white space characters were not being sanitized (#35) | ||
# 5.0.1 | ||
## 5.0.1 | ||
- Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer) | ||
# 5.0.0 | ||
## 5.0.0 | ||
@@ -36,12 +43,10 @@ _Breaking Changes_ | ||
# 4.1.1 | ||
## 4.1.1 | ||
- Fixup path to type declaration (closes #25) | ||
# 4.1.0 | ||
## 4.1.0 | ||
- Add typescript types | ||
# CHANGELOG | ||
## 4.0.1 | ||
@@ -48,0 +53,0 @@ |
@@ -6,4 +6,5 @@ "use strict"; | ||
var htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g; | ||
var htmlTabEntityRegex = /&tab;/gi; | ||
var ctrlCharactersRegex = /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim; | ||
var urlSchemeRegex = /^([^:]+):/gm; | ||
var urlSchemeRegex = /^.+(:|:)/gim; | ||
var relativeFirstCharacters = [".", "/"]; | ||
@@ -15,2 +16,3 @@ function isRelativeUrlWithoutProtocol(url) { | ||
function decodeHtmlCharacters(str) { | ||
str = str.replace(htmlTabEntityRegex, "	"); | ||
return str.replace(htmlEntitiesRegex, function (match, dec) { | ||
@@ -17,0 +19,0 @@ return String.fromCharCode(dec); |
{ | ||
"name": "@braintree/sanitize-url", | ||
"version": "6.0.0", | ||
"version": "6.0.1", | ||
"description": "A url sanitizer", | ||
@@ -27,12 +27,12 @@ "main": "dist/index.js", | ||
"devDependencies": { | ||
"@types/jest": "^27.4.0", | ||
"@typescript-eslint/eslint-plugin": "^5.9.0", | ||
"chai": "^4.3.4", | ||
"eslint": "^8.6.0", | ||
"@types/jest": "^27.4.1", | ||
"@typescript-eslint/eslint-plugin": "^5.19.0", | ||
"chai": "^4.3.6", | ||
"eslint": "^8.13.0", | ||
"eslint-config-braintree": "^6.0.0-typescript-prep-rc.2", | ||
"eslint-plugin-prettier": "^4.0.0", | ||
"jest": "^27.4.5", | ||
"prettier": "^2.5.1", | ||
"ts-jest": "^27.1.2", | ||
"typescript": "^4.5.4" | ||
"jest": "^27.5.1", | ||
"prettier": "^2.6.2", | ||
"ts-jest": "^27.1.4", | ||
"typescript": "^4.6.3" | ||
}, | ||
@@ -39,0 +39,0 @@ "jest": { |
@@ -103,2 +103,3 @@ /* eslint-disable no-script-url */ | ||
"  javascript:alert('XSS');", | ||
"javasc	ript: alert('XSS');", | ||
]; | ||
@@ -140,2 +141,11 @@ | ||
it(`disallows ${protocol} urls that use : for the colon portion of the url`, () => { | ||
expect(sanitizeUrl(`${protocol}:alert(document.domain)`)).toBe( | ||
"about:blank" | ||
); | ||
expect(sanitizeUrl(`${protocol}:alert(document.domain)`)).toBe( | ||
"about:blank" | ||
); | ||
}); | ||
it(`disregards capitalization for ${protocol} urls`, () => { | ||
@@ -142,0 +152,0 @@ // upper case every other letter in protocol name |
const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im; | ||
const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g; | ||
const htmlTabEntityRegex = /&tab;/gi; | ||
const ctrlCharactersRegex = | ||
/[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim; | ||
const urlSchemeRegex = /^([^:]+):/gm; | ||
const urlSchemeRegex = /^.+(:|:)/gim; | ||
const relativeFirstCharacters = [".", "/"]; | ||
@@ -14,2 +15,3 @@ | ||
function decodeHtmlCharacters(str: string) { | ||
str = str.replace(htmlTabEntityRegex, "	"); | ||
return str.replace(htmlEntitiesRegex, (match, dec) => { | ||
@@ -16,0 +18,0 @@ return String.fromCharCode(dec); |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
16304
273