diff --git a/lib/url.js b/lib/url.js index 95b72ddd4f..47669db620 100644 --- a/lib/url.js +++ b/lib/url.js @@ -54,7 +54,7 @@ var protocolPattern = /^([a-z0-9.+-]+:)/i, delims = ['<', '>', '"', '`', ' ', '\r', '\n', '\t'], // RFC 2396: characters not allowed for various reasons. - unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims), + unwise = ['{', '}', '|', '\\', '^', '`'].concat(delims), // Allowed by RFCs, but cause of XSS attacks. Always escape these. autoEscape = ['\''].concat(unwise), diff --git a/test/simple/test-url.js b/test/simple/test-url.js index b319f66df8..a308996e66 100644 --- a/test/simple/test-url.js +++ b/test/simple/test-url.js @@ -747,9 +747,9 @@ var parseTests = { host: 'x:1', port: '1', hostname: 'x', - pathname: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/', - path: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/', - href: 'http://x:1/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/' + pathname: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E~%60/', + path: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E~%60/', + href: 'http://x:1/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E~%60/' }, };