@braintree/sanitize-url - npm Package Compare versions

Comparing version 7.0.0 to 7.0.1

CHANGELOG.md

 # CHANGELOG
 
+## 7.0.1
+
+- Improve sanitization of HTML entities
+
 ## 7.0.0
@@ -4,0 +8,0 @@

dist/index.js

@@ -19,6 +19,15 @@ "use strict";
     }
-    var sanitizedUrl = decodeHtmlCharacters(url)
-        .replace(constants_1.htmlCtrlEntityRegex, "")
-        .replace(constants_1.ctrlCharactersRegex, "")
-        .trim();
+    var charsToDecode;
+    var decodedUrl = url;
+    do {
+        decodedUrl = decodeHtmlCharacters(decodedUrl)
+            .replace(constants_1.htmlCtrlEntityRegex, "")
+            .replace(constants_1.ctrlCharactersRegex, "")
+            .trim();
+        charsToDecode =
+            decodedUrl.match(constants_1.ctrlCharactersRegex) ||
+                decodedUrl.match(constants_1.htmlEntitiesRegex) ||
+                decodedUrl.match(constants_1.htmlCtrlEntityRegex);
+    } while (charsToDecode && charsToDecode.length > 0);
+    var sanitizedUrl = decodedUrl;
     if (!sanitizedUrl) {
@@ -25,0 +34,0 @@ return constants_1.BLANK_URL;

package.json

 {
   "name": "@braintree/sanitize-url",
-  "version": "7.0.0",
+  "version": "7.0.1",
   "description": "A url sanitizer",
@@ -5,0 +5,0 @@ "main": "dist/index.js",

src/__tests__/index.test.ts

@@ -112,2 +112,4 @@ /* eslint-disable no-script-url */
       "javasc&#\u0000x09;ript:alert(1)",
+      "java&&#78&#59;ewLine&newline&#59;&#59;script:alert('XSS')",
+      "java&NewLine&newline;;script:alert('XSS')",
     ];
@@ -114,0 +116,0 @@

src/index.ts

@@ -27,8 +27,15 @@ import {
   }
-
-  const sanitizedUrl = decodeHtmlCharacters(url)
-    .replace(htmlCtrlEntityRegex, "")
-    .replace(ctrlCharactersRegex, "")
-    .trim();
-
+  let charsToDecode;
+  let decodedUrl = url;
+  do {
+    decodedUrl = decodeHtmlCharacters(decodedUrl)
+      .replace(htmlCtrlEntityRegex, "")
+      .replace(ctrlCharactersRegex, "")
+      .trim();
+    charsToDecode =
+      decodedUrl.match(ctrlCharactersRegex) ||
+      decodedUrl.match(htmlEntitiesRegex) ||
+      decodedUrl.match(htmlCtrlEntityRegex);
+  } while (charsToDecode && charsToDecode.length > 0);
+  const sanitizedUrl = decodedUrl;
   if (!sanitizedUrl) {
@@ -35,0 +42,0 @@ return BLANK_URL;

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

19645

increased by4.82%

Lines of code

333

increased by6.39%

No dependency changes