Merge pull request #11006 from brave/fix/homepage-homograph

fix homepage punycode display bypass

Author: bbondy

js/lib/urlutil.js

@@ -354,7 +354,7 @@ const UrlUtil = {
       parsed.hostname = punycode.toASCII(parsed.hostname)
       return urlFormat(parsed)
     } catch (e) {
-      return url
+      return punycode.toASCII(url)
     }
   },
 

test/about/preferencesTest.js

@@ -35,6 +35,17 @@ describe('General Panel', function () {
         .waitForInputText(homepageInput, 'https://www.brave.xn--com-8cd/')
     })
 
+    it('homepage displays punycode without HTTP prefix', function * () {
+      yield this.app.client
+        .tabByIndex(0)
+        .loadUrl(prefsUrl)
+        .waitForVisible(homepageInput)
+        .click(homepageInput)
+        .keys(Array.apply(null, Array(50)).map(() => Brave.keys.BACKSPACE))
+        .keys('а')
+        .waitForInputText(homepageInput, 'xn--80a')
+    })
+
     it('homepage can be backspaced', function * () {
       yield this.app.client
         .tabByIndex(0)

test/unit/lib/urlutilTest.js

@@ -280,9 +280,12 @@ describe('urlutil', function () {
   })
 
   describe('getPunycodeUrl', function () {
-    it('returns empty string if input is not a URL', function () {
+    it('returns original string if input is ASCII', function () {
       assert.equal(urlUtil.getPunycodeUrl('invalid-url-goes-here'), 'invalid-url-goes-here')
     })
+    it('returns punycode ASCII string if input is non-ASCII', function () {
+      assert.equal(urlUtil.getPunycodeUrl('ebаy.com'), 'xn--eby-7cd.com')
+    })
     it('returns the punycode URL when given a valid URL', function () {
       assert.equal(urlUtil.getPunycodeUrl('http://brave:brave@ebаy.com:1234/brave#brave'), 'http://brave:brave@xn--eby-7cd.com:1234/brave#brave')
     })