From c169ac6bab94d7b57ed7d385c3af53cf4bc4fb71 Mon Sep 17 00:00:00 2001
From: Brian White <mscdex@mscdex.net>
Date: Wed, 23 Mar 2016 04:45:46 -0400
Subject: [PATCH] querystring: don't stringify bad surrogate pair

Fixes: https://github.com/nodejs/node/issues/3702
PR-URL: https://github.com/nodejs/node/pull/5858
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 lib/querystring.js                | 2 +-
 test/parallel/test-querystring.js | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/querystring.js b/lib/querystring.js
index 29fc6552c5c9a2..ad1b5861a0f063 100644
--- a/lib/querystring.js
+++ b/lib/querystring.js
@@ -141,7 +141,7 @@ QueryString.escape = function(str) {
     if (i < str.length)
       c2 = str.charCodeAt(i) & 0x3FF;
     else
-      c2 = 0;
+      throw new URIError('URI malformed');
     lastPos = i + 1;
     c = 0x10000 + (((c & 0x3FF) << 10) | c2);
     out += hexTable[0xF0 | (c >> 18)] +
diff --git a/test/parallel/test-querystring.js b/test/parallel/test-querystring.js
index c8e9cc7050af5b..24992b4c69a33a 100644
--- a/test/parallel/test-querystring.js
+++ b/test/parallel/test-querystring.js
@@ -139,6 +139,11 @@ qsWeirdObjects.forEach(function(testCase) {
   assert.equal(testCase[1], qs.stringify(testCase[0]));
 });
 
+// invalid surrogate pair throws URIError
+assert.throws(function() {
+  qs.stringify({ foo: '\udc00' });
+}, URIError);
+
 // coerce numbers to string
 assert.strictEqual('foo=0', qs.stringify({ foo: 0 }));
 assert.strictEqual('foo=0', qs.stringify({ foo: -0 }));