@braintree/sanitize-url
Advanced tools
Comparing version 6.0.1 to 6.0.2
# CHANGELOG | ||
## 6.0.2 | ||
- Fix issue where urls in the form `https://example.com

/something` were not properly sanitized | ||
## 6.0.1 | ||
@@ -4,0 +8,0 @@ |
@@ -6,3 +6,3 @@ "use strict"; | ||
var htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g; | ||
var htmlTabEntityRegex = /&tab;/gi; | ||
var htmlCtrlEntityRegex = /&(newline|tab);/gi; | ||
var ctrlCharactersRegex = /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim; | ||
@@ -16,3 +16,2 @@ var urlSchemeRegex = /^.+(:|:)/gim; | ||
function decodeHtmlCharacters(str) { | ||
str = str.replace(htmlTabEntityRegex, "	"); | ||
return str.replace(htmlEntitiesRegex, function (match, dec) { | ||
@@ -24,2 +23,3 @@ return String.fromCharCode(dec); | ||
var sanitizedUrl = decodeHtmlCharacters(url || "") | ||
.replace(htmlCtrlEntityRegex, "") | ||
.replace(ctrlCharactersRegex, "") | ||
@@ -26,0 +26,0 @@ .trim(); |
{ | ||
"name": "@braintree/sanitize-url", | ||
"version": "6.0.1", | ||
"version": "6.0.2", | ||
"description": "A url sanitizer", | ||
@@ -5,0 +5,0 @@ "main": "dist/index.js", |
@@ -95,2 +95,8 @@ /* eslint-disable no-script-url */ | ||
it("removes newline entities from urls", () => { | ||
expect(sanitizeUrl("https://example.com

/something")).toBe( | ||
"https://example.com/something" | ||
); | ||
}); | ||
it("decodes html entities", () => { | ||
@@ -97,0 +103,0 @@ // all these decode to javascript:alert('xss'); |
const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im; | ||
const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g; | ||
const htmlTabEntityRegex = /&tab;/gi; | ||
const htmlCtrlEntityRegex = /&(newline|tab);/gi; | ||
const ctrlCharactersRegex = | ||
@@ -15,3 +15,2 @@ /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim; | ||
function decodeHtmlCharacters(str: string) { | ||
str = str.replace(htmlTabEntityRegex, "	"); | ||
return str.replace(htmlEntitiesRegex, (match, dec) => { | ||
@@ -24,2 +23,3 @@ return String.fromCharCode(dec); | ||
const sanitizedUrl = decodeHtmlCharacters(url || "") | ||
.replace(htmlCtrlEntityRegex, "") | ||
.replace(ctrlCharactersRegex, "") | ||
@@ -26,0 +26,0 @@ .trim(); |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
16614
278