Browse Source

url: Escape all unwise characters

This makes node's http URL handling logic identical to Chrome's

Re #5284
v0.11.1-release
isaacs 12 years ago
parent
commit
17a379ec39
  1. 5
      lib/url.js
  2. 11
      test/simple/test-url.js

5
lib/url.js

@ -57,13 +57,12 @@ var protocolPattern = /^([a-z0-9.+-]+:)/i,
unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims), unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims),
// Allowed by RFCs, but cause of XSS attacks. Always escape these. // Allowed by RFCs, but cause of XSS attacks. Always escape these.
autoEscape = ['\''].concat(delims), autoEscape = ['\''].concat(unwise),
// Characters that are never ever allowed in a hostname. // Characters that are never ever allowed in a hostname.
// Note that any invalid chars are also handled, but these // Note that any invalid chars are also handled, but these
// are the ones that are *expected* to be seen, so we fast-path // are the ones that are *expected* to be seen, so we fast-path
// them. // them.
nonHostChars = ['%', '/', '?', ';', '#'] nonHostChars = ['%', '/', '?', ';', '#'].concat(autoEscape),
.concat(unwise).concat(autoEscape),
nonAuthChars = ['/', '@', '?', '#'].concat(delims), nonAuthChars = ['/', '@', '?', '#'].concat(delims),
hostnameMaxLen = 255, hostnameMaxLen = 255,
hostnamePartPattern = /^[a-z0-9A-Z_-]{0,63}$/, hostnamePartPattern = /^[a-z0-9A-Z_-]{0,63}$/,

11
test/simple/test-url.js

@ -741,6 +741,17 @@ var parseTests = {
'path': '/test', 'path': '/test',
}, },
'http://x:1/\' <>"`/{}|\\^~`/': {
protocol: 'http:',
slashes: true,
host: 'x:1',
port: '1',
hostname: 'x',
pathname: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/',
path: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/',
href: 'http://x:1/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/'
},
}; };
for (var u in parseTests) { for (var u in parseTests) {

Loading…
Cancel
Save