strip authority to avoid exploits in parse regex

As explained by @mala in Issue jquery-archive#4787, most browsers simply strip the authority from `location.href` anyway. We can simply mimick this more secure behavior for the browsers that don't thereby avoiding the decoding xss.
arschmitz · Oct 16, 2012 · 64f3776 · 64f3776
1 parent 8d34ecf
commit 64f3776
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 25 deletions.
diff --git a/js/jquery.mobile.navigation.js b/js/jquery.mobile.navigation.js
@@ -49,27 +49,13 @@ define( [
 			//
 			urlParseRE: /^(((([^:\/#\?]+:)?(?:(\/\/)((?:(([^:@\/#\?]+)(?:\:([^:@\/#\?]+))?)@)?(([^:\/#\?\]\[]+|\[[^\/\]@#?]+\])(?:\:([0-9]+))?))?)?)?((\/?(?:[^\/\?#]+\/+)*)([^\?#]*)))?(\?[^#]+)?)(#.*)?/,
 
-			// Abstraction to address xss (Issue #4787) in browsers that auto decode the username:pass
-			// portion of location.href. All references to location.href should be replaced with a call
-			// to this method so that it can be dealt with properly here
+			// Abstraction to address xss (Issue #4787) by removing the authority in
+			// browsers that auto	decode it. All references to location.href should be
+			// replaced with a call to this method so that it can be dealt with properly here
 			getLocation: function( url ) {
-				var uri = this.parseUrl( url || location.href ),
-					encodedUserPass = "";
+				var uri = url ? $.mobile.path.parseUrl( url ) : location;
 
-				if( uri.username ){
-					encodedUserPass = encodeURI( uri.username );
-				}
-
-				if( uri.password  ){
-					encodedUserPass = encodedUserPass + ":" + encodeURI( uri.password );
-				}
-
-				if( encodedUserPass ){
-					return uri.protocol + "//" + encodedUserPass + "@" +
-						uri.host + uri.pathname + uri.search + uri.hash;
-				}
-
-				return uri.href;
+				return uri.protocol + "//" + uri.host + uri.pathname + uri.search + uri.hash;
 			},
 
 			parseLocation: function() {

diff --git a/tests/unit/navigation/navigation_helpers.js b/tests/unit/navigation/navigation_helpers.js
@@ -241,14 +241,12 @@
 
 	test( "path.getLocation works properly", function() {
 		equal( $.mobile.path.getLocation("http://example.com/"), "http://example.com/" );
-		equal( $.mobile.path.getLocation("http://foo@example.com"), "http://foo@example.com" );
-		equal( $.mobile.path.getLocation("http://foo:bar@example.com"), "http://foo:bar@example.com" );
-		equal( $.mobile.path.getLocation("http://<foo<:bar@example.com"), "http://%3Cfoo%3C:bar@example.com" );
-		equal( $.mobile.path.getLocation("http://foo:<bar<@example.com"), "http://foo:%3Cbar%3C@example.com" );
-		equal( $.mobile.path.getLocation("http://<foo<:<bar<@example.com"), "http://%3Cfoo%3C:%3Cbar%3C@example.com" );
+		equal( $.mobile.path.getLocation("http://foo@example.com"), "http://example.com" );
+		equal( $.mobile.path.getLocation("http://foo:bar@example.com"), "http://example.com" );
+		equal( $.mobile.path.getLocation("http://<foo<:bar@example.com"), "http://example.com" );
 
 		var allUriParts = "http://jblas:password@mycompany.com:8080/mail/inbox?msg=1234&type=unread#msg-content";
 
-		equal( $.mobile.path.getLocation( allUriParts ), allUriParts );
+		equal( $.mobile.path.getLocation( allUriParts ), allUriParts.replace( "jblas:password@", "") );
 	});
 })(jQuery);