NotificationsYou must be signed in to change notification settings
Fork2.4k
Star23.7k

Commitf605a9c

authored

fix(isURL): handle possible bypass with URL-encoded content (#2633)

* fix(isURL): handle possible bypass with URL-encoded content* style: fix indentation

1 parenta165ebe commitf605a9cCopy full SHA for f605a9c

File tree

2 files changed

-2

lines changed

src/lib
- isURL.js
test
- validators.test.js

2 files changed

-2

lines changed

`‎src/lib/isURL.js‎`

Lines changed: 7 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,12 @@ export default function isURL(url, options) {`
`126`	`126`	`constvalid_auth_regex=/^[a-zA-Z0-9\-_.%:]*$/;`
`127`	`127`	`constis_valid_auth=valid_auth_regex.test(before_at);`
`128`	`128`
`129`		`-if(is_valid_auth){`
	`129`	`+// Check if this contains URL-encoded content that could be malicious`
	`130`	`+// For example: #"diff-1ced9bbbf98fe2779af1d618687cec44dd27ac19c72c7cc6d85da8b67978ce90-129-131-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">`	`131`	`+// The encoded part decodes to: alert(1)`
	`132`	`+consthas_encoded_content=/%[0-9a-fA-F]{2}/.test(before_at);`
	`133`	`+`
	`134`	`+if(is_valid_auth&&!has_encoded_content){`
`130`	`135`	`// This looks like authentication (e.g., user:password@host), not a protocol`
`131`	`136`	`if(options.require_protocol){`
`132`	`137`	`returnfalse;`
`@@ -135,6 +140,7 @@ export default function isURL(url, options) {`
`135`	`140`	`// Don't consume the colon; let the auth parsing handle it later`
`136`	`141`	`}else{`
`137`	`142`	`// This looks like a malicious protocol (e.g., #"diff-1ced9bbbf98fe2779af1d618687cec44dd27ac19c72c7cc6d85da8b67978ce90-137-143-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">`	`143`	`+// or URL-encoded protocol handler (e.g., #"diff-1ced9bbbf98fe2779af1d618687cec44dd27ac19c72c7cc6d85da8b67978ce90-138-144-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">138`	`144`	`url=cleanUpProtocol(potential_protocol);`
`139`	`145`
`140`	`146`	`if(url===false){`

`‎test/validators.test.js‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -426,7 +426,6 @@ describe('Validators', () => {`
`426`	`426`	`'http://1337.com',`
`427`	`427`	`// TODO: those probably should not be marked as valid URLs; CVE-2025-56200`
`428`	`428`	`/* eslint-disable no-script-url */`
`429`		`-'#"diff-0e926933c509ce75fa4197bf85e6383c40c0d7bc207fe1fc6ae712c4cecbe18a-430-429-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">430`	`429`	`'http://evil-site.com@example.com/',`
`431`	`430`	`'ｊａｖａｓｃｒｉｐｔ:alert(1)@example.com',`
`432`	`431`	`/* eslint-enable no-script-url */`
`@@ -480,6 +479,8 @@ describe('Validators', () => {`
`480`	`479`	`'#"diff-0e926933c509ce75fa4197bf85e6383c40c0d7bc207fe1fc6ae712c4cecbe18a-481-480-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">481`	`480`	`'#"diff-0e926933c509ce75fa4197bf85e6383c40c0d7bc207fe1fc6ae712c4cecbe18a-482-481-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">482`	`481`	`'#"diff-0e926933c509ce75fa4197bf85e6383c40c0d7bc207fe1fc6ae712c4cecbe18a-482-482-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">`	`482`	`+'#"diff-0e926933c509ce75fa4197bf85e6383c40c0d7bc207fe1fc6ae712c4cecbe18a-482-483-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">`	`483`	`+'#"diff-0e926933c509ce75fa4197bf85e6383c40c0d7bc207fe1fc6ae712c4cecbe18a-483-484-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">483`	`484`	`'data:text/html,<script>alert(1)</script>@example.com',`
`484`	`485`	`'vbscript:msgbox("XSS")@example.com',`
`485`	`486`	`'//evil-site.com/path@example.com',`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitf605a9c

File tree

2 files changed

2 files changed

`‎src/lib/isURL.js‎`

`‎test/validators.test.js‎`

0 commit comments