From CodeQL: "The escape sequence '\?' is equivalent to just '?', so …

…the sequence may still represent a meta-character when it is used in a regular expression." (Rule ID js/useless-regexp-character-escape). Instead of parsing the query string manually, SAML-tracer can make use of `URLSearchParams`.
simplesamlphp · Jun 18, 2022 · a500371 · a500371
1 parent b3bb8da
commit a500371
Showing 1 changed file with 2 additions and 20 deletions.
diff --git a/src/SAMLTrace.js b/src/SAMLTrace.js
@@ -162,27 +162,9 @@ SAMLTrace.Request.prototype = {
       return;
     }
 
-    var r = new RegExp('[&;\?]');
-    var elements = this.url.split(r);
-
     this.get = [];
-
-    for (var i = 1; i < elements.length; i++) {
-      var e = elements[i];
-      var p = e.indexOf('=');
-      var name, value;
-      if (p == -1) {
-        name = e;
-        value = '';
-      } else {
-        name = e.substr(0, p);
-        value = e.substr(p + 1);
-      }
-
-      name = name.replace('+', ' ');
-      name = decodeURIComponent(name);
-      value = value.replace('+', ' ');
-      value = decodeURIComponent(value);
+    // URLSearchParams handles splitting and decoding: https://url.spec.whatwg.org/#concept-urlencoded-parser
+    for (const [name, value] of new URL(this.url).searchParams.entries()) {
       this.get.push([name, value]);
     }
   },