Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch 'master' of github.com:visionmedia/express

  • Loading branch information...
commit c8526932f3658cfde30079298ebb132eca353b10 2 parents 060653b + 5cf29a3
@tj tj authored
Showing with 18 additions and 1 deletion.
  1. +1 −1  lib/response.js
  2. +17 −0 test/res.redirect.js
View
2  lib/response.js
@@ -656,7 +656,7 @@ res.redirect = function(url){
// Support text/{plain,html} by default
this.format({
text: function(){
- body = statusCodes[status] + '. Redirecting to ' + url;
+ body = statusCodes[status] + '. Redirecting to ' + encodeURI(url);
},
html: function(){
View
17 test/res.redirect.js
@@ -287,6 +287,23 @@ describe('res', function(){
done();
})
})
+
+ it('should encode the url', function(done){
+ var app = express();
+
+ app.use(function(req, res){
+ res.redirect('http://example.com/?param=<script>alert("hax");</script>');
+ });
+
+ request(app)
+ .get('/')
+ .set('Host', 'http://example.com')
+ .set('Accept', 'text/plain, */*')
+ .end(function(err, res){
+ res.text.should.equal('Moved Temporarily. Redirecting to http://example.com/?param=%3Cscript%3Ealert(%22hax%22);%3C/script%3E');
+ done();
+ })
+ })
})
describe('when accepting neither text or html', function(){
Please sign in to comment.
Something went wrong with that request. Please try again.