From 1042a8012fb472bd5c882b469fe507dd6279d562 Mon Sep 17 00:00:00 2001
From: Lulu Wu <luluwu@fb.com>
Date: Fri, 11 Mar 2022 16:26:48 -0800
Subject: [PATCH] Encode params in URLSearchParams

Summary:
URL params are not encoded which could cause a security risk, for more details pls see https://fb.workplace.com/groups/react.technologies.discussions/permalink/3184249088473474/

Changelog:
[General][Security] - Encode URL params in URLSearchParams.toString()

Reviewed By: yungsters

Differential Revision: D34415119

fbshipit-source-id: 83c29df9427ad0adc9b6a2b4d0ff5494247aa5cb
---
 Libraries/Blob/URL.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Libraries/Blob/URL.js b/Libraries/Blob/URL.js
index 9bcc8060e05e27..77b4d7f94d6d7f 100644
--- a/Libraries/Blob/URL.js
+++ b/Libraries/Blob/URL.js
@@ -101,7 +101,13 @@ export class URLSearchParams {
     }
     const last = this._searchParams.length - 1;
     return this._searchParams.reduce((acc, curr, index) => {
-      return acc + curr.join('=') + (index === last ? '' : '&');
+      return (
+        acc +
+        encodeURIComponent(curr[0]) +
+        '=' +
+        encodeURIComponent(curr[1]) +
+        (index === last ? '' : '&')
+      );
     }, '');
   }
 }