From b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae Mon Sep 17 00:00:00 2001
From: Rodney Rehm <mail+github@rodneyrehm.de>
Date: Sun, 3 Apr 2022 11:24:54 +0200
Subject: [PATCH] fix(parse): handle CR,LF,TAB

reported by @haxatron via huntr.dev
---
 CHANGELOG.md |  1 +
 src/URI.js   |  4 ++++
 test/urls.js | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d576563..32057b1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ The release notes tracked in this document are also made available on the [relea
 ### master ###
 
 * **SECURITY** fixing [`URI.parse()`](http://medialize.github.io/URI.js/docs.html#static-parse) handle excessive slashes in scheme-relative URLs - disclosed by [zeyu2001](https://github.com/zeyu2001) via https://huntr.dev/
+* **SECURITY** fixing [`URI.parse()`](http://medialize.github.io/URI.js/docs.html#static-parse) remove `\r` (CR), `\n`, (LF) `\t` (TAB) - disclosed by [haxatron](https://github.com/haxatron) via https://huntr.dev/
 
 ### 1.19.10 (March 5th 2022) ###
 
diff --git a/src/URI.js b/src/URI.js
index c46352b..330a480 100644
--- a/src/URI.js
+++ b/src/URI.js
@@ -240,6 +240,8 @@
     parens: /(\([^\)]*\)|\[[^\]]*\]|\{[^}]*\}|<[^>]*>)/g,
   };
   URI.leading_whitespace_expression = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/
+  // https://infra.spec.whatwg.org/#ascii-tab-or-newline
+  URI.ascii_tab_whitespace = /[\u0009\u000A\u000D]+/g
   // http://www.iana.org/assignments/uri-schemes.html
   // http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
   URI.defaultPorts = {
@@ -497,6 +499,8 @@
     }
 
     string = string.replace(URI.leading_whitespace_expression, '')
+    // https://infra.spec.whatwg.org/#ascii-tab-or-newline
+    string = string.replace(URI.ascii_tab_whitespace, '')
 
     // [protocol"://"[username[":"password]"@"]hostname[":"port]"/"?][path]["?"querystring]["#"fragment]
 
diff --git a/test/urls.js b/test/urls.js
index d8c32ef..0dd0e84 100644
--- a/test/urls.js
+++ b/test/urls.js
@@ -2718,6 +2718,55 @@ var urls = [{
         idn: false,
         punycode: false
       }
+    }, {
+      name: 'ASCII tab or newline',
+      url: 'ja\r\nva\tscript:alert(1)',
+      _url: 'javascript:alert(1)',
+      parts: {
+        protocol: 'javascript',
+        username: null,
+        password: null,
+        hostname: null,
+        port: null,
+        path: 'alert(1)',
+        query: null,
+        fragment: null
+      },
+      accessors: {
+        protocol: 'javascript',
+        username: '',
+        password: '',
+        port: '',
+        path: 'alert(1)',
+        query: '',
+        fragment: '',
+        resource: 'alert(1)',
+        authority: '',
+        origin: '',
+        userinfo: '',
+        subdomain: '',
+        domain: '',
+        tld: '',
+        directory: '',
+        filename: '',
+        suffix: '',
+        hash: '',
+        search: '',
+        host: '',
+        hostname: ''
+      },
+      is: {
+        urn: true,
+        url: false,
+        relative: false,
+        name: false,
+        sld: false,
+        ip: false,
+        ip4: false,
+        ip6: false,
+        idn: false,
+        punycode: false
+      }
     }, {
       name: 'excessive colon in protocol delimiter',
       url: 'http:://www.example.org:8080/hello:world',