url: Escape all unwise characters

This makes node's http URL handling logic identical to Chrome's

Re #5284
pull/37258/head
isaacs 2013-04-12 11:39:28 -07:00
parent 061151c5f5
commit 17a379ec39
2 changed files with 13 additions and 3 deletions

View File

@ -57,13 +57,12 @@ var protocolPattern = /^([a-z0-9.+-]+:)/i,
unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims),
// Allowed by RFCs, but cause of XSS attacks. Always escape these.
autoEscape = ['\''].concat(delims),
autoEscape = ['\''].concat(unwise),
// Characters that are never ever allowed in a hostname.
// Note that any invalid chars are also handled, but these
// are the ones that are *expected* to be seen, so we fast-path
// them.
nonHostChars = ['%', '/', '?', ';', '#']
.concat(unwise).concat(autoEscape),
nonHostChars = ['%', '/', '?', ';', '#'].concat(autoEscape),
nonAuthChars = ['/', '@', '?', '#'].concat(delims),
hostnameMaxLen = 255,
hostnamePartPattern = /^[a-z0-9A-Z_-]{0,63}$/,

View File

@ -741,6 +741,17 @@ var parseTests = {
'path': '/test',
},
'http://x:1/\' <>"`/{}|\\^~`/': {
protocol: 'http:',
slashes: true,
host: 'x:1',
port: '1',
hostname: 'x',
pathname: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/',
path: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/',
href: 'http://x:1/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/'
},
};
for (var u in parseTests) {