Permalink
Browse files

Fix #3270 Escape url.parse delims

Rather than omitting them.
  • Loading branch information...
1 parent c393853 commit 9fc7283a403bb0dec096b76991226cba8e7b73c2 @isaacs isaacs committed May 16, 2012
Showing with 84 additions and 38 deletions.
  1. +8 −18 lib/url.js
  2. +76 −20 test/simple/test-url.js
View
@@ -32,12 +32,16 @@ exports.format = urlFormat;
// compiled once on the first module load.
var protocolPattern = /^([a-z0-9.+-]+:)/i,
portPattern = /:[0-9]*$/,
+
// RFC 2396: characters reserved for delimiting URLs.
+ // We actually just auto-escape these.
delims = ['<', '>', '"', '`', ' ', '\r', '\n', '\t'],
+
// RFC 2396: characters not allowed for various reasons.
unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims),
+
// Allowed by RFCs, but cause of XSS attacks. Always escape these.
- autoEscape = ['\''],
+ autoEscape = ['\''].concat(delims),
// Characters that are never ever allowed in a hostname.
// Note that any invalid chars are also handled, but these
// are the ones that are *expected* to be seen, so we fast-path
@@ -95,13 +99,9 @@ function urlParse(url, parseQueryString, slashesDenoteHost) {
var out = {},
rest = url;
- // cut off any delimiters.
- // This is to support parse stuff like "<http://foo.com>"
- for (var i = 0, l = rest.length; i < l; i++) {
- if (delims.indexOf(rest.charAt(i)) === -1) break;
- }
- if (i !== 0) rest = rest.substr(i);
-
+ // trim before proceeding.
+ // This is to support parse stuff like " http://foo.com \n"
+ rest = rest.trim();
var proto = protocolPattern.exec(rest);
if (proto) {
@@ -271,16 +271,6 @@ function urlParse(url, parseQueryString, slashesDenoteHost) {
}
rest = rest.split(ae).join(esc);
}
-
- // Now make sure that delims never appear in a url.
- var chop = rest.length;
- for (var i = 0, l = delims.length; i < l; i++) {
- var c = rest.indexOf(delims[i]);
- if (c !== -1) {
- chop = Math.min(c, chop);
- }
- }
- rest = rest.substr(0, chop);
}
Oops, something went wrong.

0 comments on commit 9fc7283

Please sign in to comment.