From ba45cde0ec0ccfcb7cddad76c7a43c16954217c4 Mon Sep 17 00:00:00 2001
From: Blade Barringer <blade.barringer@paypal.com>
Date: Tue, 12 Apr 2022 10:53:17 -0500
Subject: [PATCH] fix: correct urls that did not sanitize html encoded colons

---
 CHANGELOG.md          | 4 ++++
 src/__tests__/test.ts | 9 +++++++++
 src/index.ts          | 2 +-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1e5d9fa..88fa38a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## unreleased
+
+- Fix issue where urls in the form `javascript&colon;alert('xss');` were not properly sanitized
+
 ## 6.0.0
 
 **Breaking Changes**
diff --git a/src/__tests__/test.ts b/src/__tests__/test.ts
index 51cb224..15ea5ce 100644
--- a/src/__tests__/test.ts
+++ b/src/__tests__/test.ts
@@ -136,6 +136,15 @@ describe("sanitizeUrl", () => {
         );
       });
 
+      it(`disallows ${protocol} urls that use &colon; for the colon portion of the url`, () => {
+        expect(sanitizeUrl(`${protocol}&colon;alert(document.domain)`)).toBe(
+          "about:blank"
+        );
+        expect(sanitizeUrl(`${protocol}&COLON;alert(document.domain)`)).toBe(
+          "about:blank"
+        );
+      });
+
       it(`disregards capitalization for ${protocol} urls`, () => {
         // upper case every other letter in protocol name
         const mixedCapitalizationProtocol = protocol
diff --git a/src/index.ts b/src/index.ts
index 801dfae..2998341 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -2,7 +2,7 @@ const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im;
 const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
 const ctrlCharactersRegex =
   /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
-const urlSchemeRegex = /^([^:]+):/gm;
+const urlSchemeRegex = /^.+(:|&colon;)/gim;
 const relativeFirstCharacters = [".", "/"];
 
 function isRelativeUrlWithoutProtocol(url: string): boolean {