From b614b651979a4f9f71b1dc06c776fee84a184353 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 8 Jan 2020 11:24:46 +0100 Subject: [PATCH 1/3] Don't decode url before encoding it again --- lib/common.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/common.js b/lib/common.js index 3b2276e3..385d283b 100644 --- a/lib/common.js +++ b/lib/common.js @@ -56,7 +56,7 @@ var unescapeString = function(s) { var normalizeURI = function(uri) { try { - return encode(decode(uri)); + return encode(uri); } catch(err) { return uri; From 4f2309af2e33d6c15847a4b664cd40273c97725b Mon Sep 17 00:00:00 2001 From: Daniel Berndt Date: Thu, 9 Jan 2020 11:00:42 +0100 Subject: [PATCH 2/3] adapt existing encoding-based regression test and add `%25`-based regression test --- test/regression.txt | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/test/regression.txt b/test/regression.txt index ec5143ef..13c64a20 100644 --- a/test/regression.txt +++ b/test/regression.txt @@ -122,7 +122,15 @@ Double-encoding. ```````````````````````````````` example [XSS](javascript:alert%28'XSS'%29) . -

XSS

+

XSS

+```````````````````````````````` + +PR #179 + +```````````````````````````````` example +[link](https://www.example.com/home/%25batty) +. +

link

```````````````````````````````` Issue commonamrk#517 - script, pre, style close tag without From edd1f4aa2050c7003f667e5fca7ec584b8960af9 Mon Sep 17 00:00:00 2001 From: Daniel Berndt Date: Thu, 9 Jan 2020 11:05:47 +0100 Subject: [PATCH 3/3] do not require `decode`, as it's not needed any more --- lib/common.js | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/common.js b/lib/common.js index 385d283b..d3a01d0c 100644 --- a/lib/common.js +++ b/lib/common.js @@ -1,7 +1,6 @@ "use strict"; var encode = require('mdurl/encode'); -var decode = require('mdurl/decode'); var C_BACKSLASH = 92;