fix(nuxt): disallow redirects to more script protocols

package.json

@@ -75,7 +75,7 @@
     "semver": "7.5.4",
     "std-env": "3.3.3",
     "typescript": "5.1.6",
-    "ufo": "1.1.2",
+    "ufo": "1.2.0",
     "vite": "4.4.7",
     "vitest": "0.33.0",
     "vitest-environment-nuxt": "0.10.2",

packages/nuxi/package.json

@@ -47,7 +47,7 @@
     "pkg-types": "1.0.3",
     "scule": "1.0.0",
     "semver": "7.5.4",
-    "ufo": "1.1.2",
+    "ufo": "1.2.0",
     "unbuild": "latest"
   },
   "optionalDependencies": {

packages/nuxt/package.json

@@ -91,7 +91,7 @@
     "prompts": "^2.4.2",
     "scule": "^1.0.0",
     "strip-literal": "^1.0.1",
-    "ufo": "^1.1.2",
+    "ufo": "^1.2.0",
     "ultrahtml": "^1.3.0",
     "uncrypto": "^0.1.3",
     "unctx": "^2.3.1",

packages/nuxt/src/app/composables/router.ts

@@ -2,7 +2,7 @@ import { getCurrentInstance, hasInjectionContext, inject, onUnmounted } from 'vu
 import type { Ref } from 'vue'
 import type { NavigationFailure, NavigationGuard, RouteLocationNormalized, RouteLocationPathRaw, RouteLocationRaw, Router, useRoute as _useRoute, useRouter as _useRouter } from '#vue-router'
 import { sanitizeStatusCode } from 'h3'
-import { hasProtocol, joinURL, parseURL, withQuery } from 'ufo'
+import { hasProtocol, isScriptProtocol, joinURL, parseURL, withQuery } from 'ufo'
 
 import { useNuxtApp, useRuntimeConfig } from '../nuxt'
 import type { NuxtError } from './error'
@@ -133,11 +133,14 @@ export const navigateTo = (to: RouteLocationRaw | undefined | null, options?: Na
   }
 
   const isExternal = options?.external || hasProtocol(toPath, { acceptRelative: true })
-  if (isExternal && !options?.external) {
-    throw new Error('Navigating to external URL is not allowed by default. Use `navigateTo (url, { external: true })`.')
-  }
-  if (isExternal && parseURL(toPath).protocol === 'script:') {
-    throw new Error('Cannot navigate to an URL with script protocol.')
+  if (isExternal) {
+    if (!options?.external) {
+      throw new Error('Navigating to an external URL is not allowed by default. Use `navigateTo(url, { external: true })`.')
+    }
+    const protocol = parseURL(toPath).protocol
+    if (protocol && isScriptProtocol(protocol)) {
+      throw new Error(`Cannot navigate to a URL with '${protocol}' protocol.`)
+    }
   }
 
   const inMiddleware = isProcessingMiddleware()

packages/schema/package.json

@@ -56,7 +56,7 @@
     "pkg-types": "^1.0.3",
     "postcss-import-resolver": "^2.0.0",
     "std-env": "^3.3.3",
-    "ufo": "^1.1.2",
+    "ufo": "^1.2.0",
     "unimport": "^3.1.0",
     "untyped": "^1.4.0"
   },

packages/test-utils/package.json

@@ -30,7 +30,7 @@
     "get-port-please": "^3.0.1",
     "ofetch": "^1.1.1",
     "pathe": "^1.1.1",
-    "ufo": "^1.1.2"
+    "ufo": "^1.2.0"
   },
   "devDependencies": {
     "@jest/globals": "29.6.1",

packages/vite/package.json

@@ -55,7 +55,7 @@
     "rollup-plugin-visualizer": "^5.9.2",
     "std-env": "^3.3.3",
     "strip-literal": "^1.0.1",
-    "ufo": "^1.1.2",
+    "ufo": "^1.2.0",
     "unplugin": "^1.4.0",
     "vite": "^4.4.7",
     "vite-node": "^0.33.0",

packages/webpack/package.json

@@ -49,7 +49,7 @@
     "pug-plain-loader": "^1.1.0",
     "std-env": "^3.3.3",
     "time-fix-plugin": "^2.0.7",
-    "ufo": "^1.1.2",
+    "ufo": "^1.2.0",
     "unplugin": "^1.4.0",
     "url-loader": "^4.1.1",
     "vue-bundle-renderer": "^1.0.3",

test/bundle.test.ts

@@ -19,7 +19,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
   for (const outputDir of ['.output', '.output-inline']) {
     it('default client bundle size', async () => {
       const clientStats = await analyzeSizes('**/*.js', join(rootDir, outputDir, 'public'))
-      expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.3k"')
+      expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.4k"')
       expect(clientStats.files.map(f => f.replace(/\..*\.js/, '.js'))).toMatchInlineSnapshot(`
         [
           "_nuxt/entry.js",
@@ -32,7 +32,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
     const serverDir = join(rootDir, '.output/server')
 
     const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir)
-    expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.4k"')
+    expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.5k"')
 
     const modules = await analyzeSizes('node_modules/**/*', serverDir)
     expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot('"2330k"')