express - npm Package Compare versions

express

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

lib/response.js

		@@ -37,3 +37,2 @@ /*!
		var vary = require('vary');
		var urlParse = require('url').parse;

		@@ -55,2 +54,9 @@ /**
		/**
		* Module variables.
		* @private
		*/

		var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/;

		/**
		* Set status `code`.
		@@ -778,3 +784,3 @@ *
		res.location = function location(url) {
		var loc = String(url);
		var loc;

		@@ -784,23 +790,14 @@ // "back" is an alias for the referrer
		loc = this.req.get('Referrer') \|\| '/';
		} else {
		loc = String(url);
		}

		var lowerLoc = loc.toLowerCase();
		var encodedUrl = encodeUrl(loc);
		if (lowerLoc.indexOf('https://') === 0 \|\| lowerLoc.indexOf('http://') === 0) {
		try {
		var parsedUrl = urlParse(loc);
		var parsedEncodedUrl = urlParse(encodedUrl);
		// Because this can encode the host, check that we did not change the host
		if (parsedUrl.host !== parsedEncodedUrl.host) {
		// If the host changes after encodeUrl, return the original url
		return this.set('Location', loc);
		}
		} catch (e) {
		// If parse fails, return the original url
		return this.set('Location', loc);
		}
		}
		var m = schemaAndHostRegExp.exec(loc);
		var pos = m ? m[0].length + 1 : 0;

		// set location
		return this.set('Location', encodedUrl);
		// Only encode after host to avoid invalid encoding which can introduce
		// vulnerabilities (e.g. `\\` to `%5C`).
		loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos));

		return this.set('Location', loc);
		};
		@@ -807,0 +804,0 @@

package.json

		{
		"name": "express",
		"description": "Fast, unopinionated, minimalist web framework",
		"version": "5.0.0-beta.2",
		"version": "5.0.0-beta.3",
		"author": "TJ Holowaychuk <tj@vision-media.ca>",
		@@ -6,0 +6,0 @@ "contributors": [

History.md

Sorry, the diff of this file is too big to display

Improved metrics