@livechat/url-utils - npm Package Compare versions

Comparing version 0.1.3 to 0.1.4

dist/url-utils.cjs.js

@@ -21,3 +21,3 @@ 'use strict';
 
-var hostnameRegexp = /(?:[^:]+:\/\/)?([^\/\s]+)/;
+var hostnameRegexp = /(?:[^:]+:\/\/)?([^/\s]+)/;
 function getHostname(url) {
@@ -28,3 +28,3 @@ var hostnameMatch = url.match(hostnameRegexp);
 
-var originRegexp = /[^:]+:\/\/[^(\/|\?)\s]+/;
+var originRegexp = /[^:]+:\/\/[^(/|?)\s]+/;
 
@@ -36,6 +36,6 @@ var getOrigin = function getOrigin(url) {
 
-var preSearchRegexp = /.*\?(.+)/;
+var searchRegexp = /.*?\?([^#]+)/;
 
 var getSearch = function getSearch(url) {
-  var match = url.match(preSearchRegexp);
+  var match = url.match(searchRegexp);
   return match ? "?" + match[1] : '';
@@ -57,3 +57,3 @@ };
 
-var pathnameRegexp = /^(?:https?:)?\/\/[^\/]+\/([^?#]+)/;
+var pathnameRegexp = /^(?:https?:)?\/\/[^/]+\/([^?#]+)/;
 
@@ -65,4 +65,24 @@ var getPathname = function getPathname(url) {
 
-var protocolRegexp = /^((http(s)?\:)?\/\/)/;
+// URL can contain leading C0 control or \u0020 SPACE,
+// and any newline or tab are filtered out as if they're not part of the URL.
+// https://url.spec.whatwg.org/#url-parsing
+// Tab or newline are defined as \r\n\t:
+// https://infra.spec.whatwg.org/#ascii-tab-or-newline
+// A C0 control is a code point in the range \u0000 NULL to \u001F
+// INFORMATION SEPARATOR ONE, inclusive:
+// https://infra.spec.whatwg.org/#c0-control-or-space
+var intersperseWithTabOrNewline = function intersperseWithTabOrNewline(str) {
+  return str.replace(/\w/g, '$&[\\r\\n\\t]*');
+};
 
+var unsafeProtocol = new RegExp("^[\0-\x1F]*(" + intersperseWithTabOrNewline('javascript') + "|" + intersperseWithTabOrNewline('data') + "):", 'i'); // would be better to whitelist things
+// but people might paste in protocolless URLs
+// and we would filter them out
+
+var hasUnsafeProtocol = function hasUnsafeProtocol(url) {
+  return unsafeProtocol.test(url);
+};
+
+var protocolRegexp = /^((http(s)?:)?\/\/)/;
+
 var removeProtocol = function removeProtocol(url) {
@@ -72,3 +92,3 @@ return url.replace(protocolRegexp, '');
 
-var protocolRegexp$1 = /^((http(s)?\:)?\/\/)/;
+var protocolRegexp$1 = /^((http(s)?:)?\/\/)/;
 
@@ -88,4 +108,5 @@ var getProtocol = function getProtocol(url) {
 exports.getSearch = getSearch;
+exports.hasUnsafeProtocol = hasUnsafeProtocol;
 exports.removeProtocol = removeProtocol;
 exports.trimSearch = trimSearch;
 exports.getProtocol = getProtocol;

dist/url-utils.esm.js

@@ -17,3 +17,3 @@ import { toPairs, fromPairs } from '@livechat/data-utils';
 
-var hostnameRegexp = /(?:[^:]+:\/\/)?([^\/\s]+)/;
+var hostnameRegexp = /(?:[^:]+:\/\/)?([^/\s]+)/;
 function getHostname(url) {
@@ -24,3 +24,3 @@ var hostnameMatch = url.match(hostnameRegexp);
 
-var originRegexp = /[^:]+:\/\/[^(\/|\?)\s]+/;
+var originRegexp = /[^:]+:\/\/[^(/|?)\s]+/;
 
@@ -32,6 +32,6 @@ var getOrigin = function getOrigin(url) {
 
-var preSearchRegexp = /.*\?(.+)/;
+var searchRegexp = /.*?\?([^#]+)/;
 
 var getSearch = function getSearch(url) {
-  var match = url.match(preSearchRegexp);
+  var match = url.match(searchRegexp);
   return match ? "?" + match[1] : '';
@@ -53,3 +53,3 @@ };
 
-var pathnameRegexp = /^(?:https?:)?\/\/[^\/]+\/([^?#]+)/;
+var pathnameRegexp = /^(?:https?:)?\/\/[^/]+\/([^?#]+)/;
 
@@ -61,4 +61,24 @@ var getPathname = function getPathname(url) {
 
-var protocolRegexp = /^((http(s)?\:)?\/\/)/;
+// URL can contain leading C0 control or \u0020 SPACE,
+// and any newline or tab are filtered out as if they're not part of the URL.
+// https://url.spec.whatwg.org/#url-parsing
+// Tab or newline are defined as \r\n\t:
+// https://infra.spec.whatwg.org/#ascii-tab-or-newline
+// A C0 control is a code point in the range \u0000 NULL to \u001F
+// INFORMATION SEPARATOR ONE, inclusive:
+// https://infra.spec.whatwg.org/#c0-control-or-space
+var intersperseWithTabOrNewline = function intersperseWithTabOrNewline(str) {
+  return str.replace(/\w/g, '$&[\\r\\n\\t]*');
+};
 
+var unsafeProtocol = new RegExp("^[\0-\x1F]*(" + intersperseWithTabOrNewline('javascript') + "|" + intersperseWithTabOrNewline('data') + "):", 'i'); // would be better to whitelist things
+// but people might paste in protocolless URLs
+// and we would filter them out
+
+var hasUnsafeProtocol = function hasUnsafeProtocol(url) {
+  return unsafeProtocol.test(url);
+};
+
+var protocolRegexp = /^((http(s)?:)?\/\/)/;
+
 var removeProtocol = function removeProtocol(url) {
@@ -68,3 +88,3 @@ return url.replace(protocolRegexp, '');
 
-var protocolRegexp$1 = /^((http(s)?\:)?\/\/)/;
+var protocolRegexp$1 = /^((http(s)?:)?\/\/)/;
 
@@ -76,2 +96,2 @@ var getProtocol = function getProtocol(url) {
 
-export { buildQueryString, decodeQueryString, getHostname, getOrigin, getQueryParam, getQueryParams, getPathname, getSearch, removeProtocol, trimSearch, getProtocol };
+export { buildQueryString, decodeQueryString, getHostname, getOrigin, getQueryParam, getQueryParams, getPathname, getSearch, hasUnsafeProtocol, removeProtocol, trimSearch, getProtocol };

package.json

 {
   "name": "@livechat/url-utils",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "URL utility functions",
@@ -10,9 +10,16 @@ "contributors": [
   "license": "MIT",
+  "source": "./src/index.ts",
   "main": "./dist/url-utils.cjs.js",
   "module": "./dist/url-utils.esm.js",
   "types": "./types",
-  "files": ["dist", "types"],
-  "keywords": ["url", "utils"],
+  "files": [
+    "dist",
+    "types/**/*.d.ts"
+  ],
+  "keywords": [
+    "url",
+    "utils"
+  ],
   "dependencies": {
-    "@livechat/data-utils": "^0.2.7"
+    "@livechat/data-utils": "^0.2.8"
   },
@@ -25,5 +32,4 @@ "devDependencies": {
     "@babel/preset-typescript": "^7.3.3",
-    "babel-core": "^7.0.0-bridge.0",
-    "babel-jest": "^23.4.2",
-    "jest": "^23.6.0",
+    "babel-jest": "^24.9.0",
+    "jest": "24.9.0",
     "lerna-alias": "3.0.3-0",
@@ -34,6 +40,6 @@ "rimraf": "^2.6.1",
     "rollup-plugin-node-resolve": "^3.0.0",
-    "typescript": "^3.4.1"
+    "typescript": "^3.6.4"
   },
   "scripts": {
-    "prebuild": "rimraf dist types",
+    "prebuild": "rimraf dist",
     "build": "rollup -c && tsc",
@@ -40,0 +46,0 @@ "test": "jest",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

10107

increased by83.96%

Dev dependency count

13

decreased by-7.14%

Number of package files

17

increased by466.67%

Lines of code

196

increased by66.1%

Number of medium supply chain risk alerts

0

decreased by-100%

Dependency changes

• Updated@livechat/data-utils@^0.2.8