Skip to content

Commit

Permalink
Merge pull request #179 from danielberndt/patch-1
Browse files Browse the repository at this point in the history 
Don't decode url before encoding it again
  • Loading branch information
@jgm
jgm authored Jan 9, 2020
2 parents ca71e64 + edd1f4a commit cd03322
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
3 changes: 1 addition & 2 deletions lib/common.js
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
"use strict";

var encode = require('mdurl/encode');
var decode = require('mdurl/decode');

var C_BACKSLASH = 92;

Expand Down Expand Up @@ -56,7 +55,7 @@ var unescapeString = function(s) {

var normalizeURI = function(uri) {
try {
return encode(decode(uri));
return encode(uri);
}
catch(err) {
return uri;
Expand Down
10 changes: 9 additions & 1 deletion test/regression.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,15 @@ Double-encoding.
```````````````````````````````` example
[XSS](javascript:alert%28'XSS'%29)
.
<p><a href="javascript&amp;colon;alert('XSS')">XSS</a></p>
<p><a href="javascript&amp;colon;alert%28'XSS'%29">XSS</a></p>
````````````````````````````````

PR #179

```````````````````````````````` example
[link](https://www.example.com/home/%25batty)
.
<p><a href="https://www.example.com/home/%25batty">link</a></p>
````````````````````````````````

Issue commonamrk#517 - script, pre, style close tag without
Expand Down

0 comments on commit cd03322

Please sign in to comment.