Permalink
Browse files

strip authority to avoid exploits in parse regex

As explained by @mala in Issue #4787, most browsers simply strip the
authority from `location.href` anyway. We can simply mimick this more
secure behavior for the browsers that don't thereby avoiding the
decoding xss.
  • Loading branch information...
johnbender committed Aug 9, 2012
1 parent dea9d31 commit 2c83dffffe475be2f8b2f298e7d6110b527466e1
Showing with 9 additions and 25 deletions.
  1. +5 −19 js/jquery.mobile.navigation.js
  2. +4 −6 tests/unit/navigation/navigation_helpers.js
@@ -49,27 +49,13 @@ define( [
//
urlParseRE: /^(((([^:\/#\?]+:)?(?:(\/\/)((?:(([^:@\/#\?]+)(?:\:([^:@\/#\?]+))?)@)?(([^:\/#\?\]\[]+|\[[^\/\]@#?]+\])(?:\:([0-9]+))?))?)?)?((\/?(?:[^\/\?#]+\/+)*)([^\?#]*)))?(\?[^#]+)?)(#.*)?/,
// Abstraction to address xss (Issue #4787) in browsers that auto decode the username:pass
// portion of location.href. All references to location.href should be replaced with a call
// to this method so that it can be dealt with properly here
// Abstraction to address xss (Issue #4787) by removing the authority in
// browsers that auto decode it. All references to location.href should be
// replaced with a call to this method so that it can be dealt with properly here
getLocation: function( url ) {
var uri = this.parseUrl( url || location.href ),
encodedUserPass = "";
var uri = url ? $.mobile.path.parseUrl( url ) : location;
if( uri.username ){
encodedUserPass = encodeURI( uri.username );
}
if( uri.password ){
encodedUserPass = encodedUserPass + ":" + encodeURI( uri.password );
}
if( encodedUserPass ){
return uri.protocol + "//" + encodedUserPass + "@" +
uri.host + uri.pathname + uri.search + uri.hash;
}
return uri.href;
return uri.protocol + "//" + uri.host + uri.pathname + uri.search + uri.hash;
},
parseLocation: function() {
@@ -241,14 +241,12 @@
test( "path.getLocation works properly", function() {
equal( $.mobile.path.getLocation("http://example.com/"), "http://example.com/" );
equal( $.mobile.path.getLocation("http://foo@example.com"), "http://foo@example.com" );
equal( $.mobile.path.getLocation("http://foo:bar@example.com"), "http://foo:bar@example.com" );
equal( $.mobile.path.getLocation("http://<foo<:bar@example.com"), "http://%3Cfoo%3C:bar@example.com" );
equal( $.mobile.path.getLocation("http://foo:<bar<@example.com"), "http://foo:%3Cbar%3C@example.com" );
equal( $.mobile.path.getLocation("http://<foo<:<bar<@example.com"), "http://%3Cfoo%3C:%3Cbar%3C@example.com" );
equal( $.mobile.path.getLocation("http://foo@example.com"), "http://example.com" );
equal( $.mobile.path.getLocation("http://foo:bar@example.com"), "http://example.com" );
equal( $.mobile.path.getLocation("http://<foo<:bar@example.com"), "http://example.com" );
var allUriParts = "http://jblas:password@mycompany.com:8080/mail/inbox?msg=1234&type=unread#msg-content";
equal( $.mobile.path.getLocation( allUriParts ), allUriParts );
equal( $.mobile.path.getLocation( allUriParts ), allUriParts.replace( "jblas:password@", "") );
});
})(jQuery);

0 comments on commit 2c83dff

Please sign in to comment.