@braintree/sanitize-url - npm Package Compare versions

Comparing version 6.0.0 to 6.0.1

CHANGELOG.md

@@ -1,3 +0,10 @@
-# 6.0.0
+# CHANGELOG
 
+## 6.0.1
+
+- Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized
+- Fix issue where urls in the form `javasc	ript:alert('XSS');` were not properly sanitized
+
+## 6.0.0
+
 **Breaking Changes**
@@ -21,11 +28,11 @@
 
-# 5.0.2
+## 5.0.2
 
 - Fix issue where certain invisible white space characters were not being sanitized (#35)
 
-# 5.0.1
+## 5.0.1
 
 - Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
 
-# 5.0.0
+## 5.0.0
 
@@ -36,12 +43,10 @@ _Breaking Changes_
 
-# 4.1.1
+## 4.1.1
 
 - Fixup path to type declaration (closes #25)
 
-# 4.1.0
+## 4.1.0
 
 - Add typescript types
 
-# CHANGELOG
-
 ## 4.0.1
@@ -48,0 +53,0 @@

dist/index.js

@@ -6,4 +6,5 @@ "use strict";
 var htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
+var htmlTabEntityRegex = /&tab;/gi;
 var ctrlCharactersRegex = /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
-var urlSchemeRegex = /^([^:]+):/gm;
+var urlSchemeRegex = /^.+(:|:)/gim;
 var relativeFirstCharacters = [".", "/"];
@@ -15,2 +16,3 @@ function isRelativeUrlWithoutProtocol(url) {
 function decodeHtmlCharacters(str) {
+    str = str.replace(htmlTabEntityRegex, "	");
     return str.replace(htmlEntitiesRegex, function (match, dec) {
@@ -17,0 +19,0 @@ return String.fromCharCode(dec);

package.json

 {
   "name": "@braintree/sanitize-url",
-  "version": "6.0.0",
+  "version": "6.0.1",
   "description": "A url sanitizer",
@@ -27,12 +27,12 @@ "main": "dist/index.js",
   "devDependencies": {
-    "@types/jest": "^27.4.0",
-    "@typescript-eslint/eslint-plugin": "^5.9.0",
-    "chai": "^4.3.4",
-    "eslint": "^8.6.0",
+    "@types/jest": "^27.4.1",
+    "@typescript-eslint/eslint-plugin": "^5.19.0",
+    "chai": "^4.3.6",
+    "eslint": "^8.13.0",
     "eslint-config-braintree": "^6.0.0-typescript-prep-rc.2",
     "eslint-plugin-prettier": "^4.0.0",
-    "jest": "^27.4.5",
-    "prettier": "^2.5.1",
-    "ts-jest": "^27.1.2",
-    "typescript": "^4.5.4"
+    "jest": "^27.5.1",
+    "prettier": "^2.6.2",
+    "ts-jest": "^27.1.4",
+    "typescript": "^4.6.3"
   },
@@ -39,0 +39,0 @@ "jest": {

src/__tests__/test.ts

@@ -103,2 +103,3 @@ /* eslint-disable no-script-url */
       "  javascript:alert('XSS');",
+      "javasc	ript: alert('XSS');",
     ];
@@ -140,2 +141,11 @@
 
+      it(`disallows ${protocol} urls that use : for the colon portion of the url`, () => {
+        expect(sanitizeUrl(`${protocol}:alert(document.domain)`)).toBe(
+          "about:blank"
+        );
+        expect(sanitizeUrl(`${protocol}:alert(document.domain)`)).toBe(
+          "about:blank"
+        );
+      });
+
       it(`disregards capitalization for ${protocol} urls`, () => {
@@ -142,0 +152,0 @@ // upper case every other letter in protocol name

src/index.ts

 const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im;
 const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
+const htmlTabEntityRegex = /&tab;/gi;
 const ctrlCharactersRegex =
   /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
-const urlSchemeRegex = /^([^:]+):/gm;
+const urlSchemeRegex = /^.+(:|:)/gim;
 const relativeFirstCharacters = [".", "/"];
@@ -14,2 +15,3 @@
 function decodeHtmlCharacters(str: string) {
+  str = str.replace(htmlTabEntityRegex, "	");
   return str.replace(htmlEntitiesRegex, (match, dec) => {
@@ -16,0 +18,0 @@ return String.fromCharCode(dec);

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

16304

increased by4.96%

Lines of code

273

increased by5%

No dependency changes