Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Fix #3270 Escape url.parse delims

Rather than omitting them.
  • Loading branch information...
isaacs committed May 16, 2012
1 parent c393853 commit 9fc7283a403bb0dec096b76991226cba8e7b73c2
Showing with 84 additions and 38 deletions.
  1. +8 −18 lib/url.js
  2. +76 −20 test/simple/test-url.js
@@ -32,12 +32,16 @@ exports.format = urlFormat;
// compiled once on the first module load.
var protocolPattern = /^([a-z0-9.+-]+:)/i,
portPattern = /:[0-9]*$/,

// RFC 2396: characters reserved for delimiting URLs.
// We actually just auto-escape these.
delims = ['<', '>', '"', '`', ' ', '\r', '\n', '\t'],

// RFC 2396: characters not allowed for various reasons.
unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims),

// Allowed by RFCs, but cause of XSS attacks. Always escape these.
autoEscape = ['\''],
autoEscape = ['\''].concat(delims),
// Characters that are never ever allowed in a hostname.
// Note that any invalid chars are also handled, but these
// are the ones that are *expected* to be seen, so we fast-path
@@ -95,13 +99,9 @@ function urlParse(url, parseQueryString, slashesDenoteHost) {
var out = {},
rest = url;

// cut off any delimiters.
// This is to support parse stuff like "<http://foo.com>"
for (var i = 0, l = rest.length; i < l; i++) {
if (delims.indexOf(rest.charAt(i)) === -1) break;
}
if (i !== 0) rest = rest.substr(i);

// trim before proceeding.
// This is to support parse stuff like " http://foo.com \n"
rest = rest.trim();

var proto = protocolPattern.exec(rest);
if (proto) {
@@ -271,16 +271,6 @@ function urlParse(url, parseQueryString, slashesDenoteHost) {
}
rest = rest.split(ae).join(esc);
}

// Now make sure that delims never appear in a url.
var chop = rest.length;
for (var i = 0, l = delims.length; i < l; i++) {
var c = rest.indexOf(delims[i]);
if (c !== -1) {
chop = Math.min(c, chop);
}
}
rest = rest.substr(0, chop);
}


0 comments on commit 9fc7283

Please sign in to comment.
You can’t perform that action at this time.