This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Merge pull request #11006 from brave/fix/homepage-homograph

fix homepage punycode display bypass
  • Loading branch information...
bbondy committed Sep 20, 2017
2 parents e1066fd + c87fb24 commit f2e438d6158fbc62e2641458b6002a72d223c366
Showing with 16 additions and 2 deletions.
  1. +1 −1 js/lib/urlutil.js
  2. +11 −0 test/about/preferencesTest.js
  3. +4 −1 test/unit/lib/urlutilTest.js
@@ -354,7 +354,7 @@ const UrlUtil = {
parsed.hostname = punycode.toASCII(parsed.hostname)
return urlFormat(parsed)
} catch (e) {
return url
return punycode.toASCII(url)
}
},

@@ -35,6 +35,17 @@ describe('General Panel', function () {
.waitForInputText(homepageInput, 'https://www.brave.xn--com-8cd/')
})

it('homepage displays punycode without HTTP prefix', function * () {
yield this.app.client
.tabByIndex(0)
.loadUrl(prefsUrl)
.waitForVisible(homepageInput)
.click(homepageInput)
.keys(Array.apply(null, Array(50)).map(() => Brave.keys.BACKSPACE))
.keys('а')
.waitForInputText(homepageInput, 'xn--80a')
})

it('homepage can be backspaced', function * () {
yield this.app.client
.tabByIndex(0)
@@ -280,9 +280,12 @@ describe('urlutil', function () {
})

describe('getPunycodeUrl', function () {
it('returns empty string if input is not a URL', function () {
it('returns original string if input is ASCII', function () {
assert.equal(urlUtil.getPunycodeUrl('invalid-url-goes-here'), 'invalid-url-goes-here')
})
it('returns punycode ASCII string if input is non-ASCII', function () {
assert.equal(urlUtil.getPunycodeUrl('ebаy.com'), 'xn--eby-7cd.com')
})
it('returns the punycode URL when given a valid URL', function () {
assert.equal(urlUtil.getPunycodeUrl('http://brave:brave@ebаy.com:1234/brave#brave'), 'http://brave:brave@xn--eby-7cd.com:1234/brave#brave')
})

0 comments on commit f2e438d

Please sign in to comment.