fix: remove newline entities (#46)

* fix: remove newline entities * strip out tabs and newlines * not decoding, so just replace * update changelog
braintree · Nov 9, 2022 · a39ca11 · a39ca11
1 parent ab8d43d
commit a39ca11
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # CHANGELOG
 
+## unreleased
+- Fix issue where urls in the form `https://example.com&NewLine;&NewLine;/something` were not properly sanitized
+
 ## 6.0.1
 
 - Fix issue where urls in the form `javascript&colon;alert('xss');` were not properly sanitized

diff --git a/src/__tests__/test.ts b/src/__tests__/test.ts
@@ -92,6 +92,12 @@ describe("sanitizeUrl", () => {
     );
   });
 
+  it("removes newline entities from urls", () => {
+    expect(sanitizeUrl("https://example.com&NewLine;&NewLine;/something")).toBe(
+      "https://example.com/something"
+    );
+  });
+
   it("decodes html entities", () => {
     // all these decode to javascript:alert('xss');
     const attackVectors = [

diff --git a/src/index.ts b/src/index.ts
@@ -1,6 +1,6 @@
 const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im;
 const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
-const htmlTabEntityRegex = /&tab;/gi;
+const htmlCtrlEntityRegex = /&(newline|tab);/gi;
 const ctrlCharactersRegex =
   /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
 const urlSchemeRegex = /^.+(:|&colon;)/gim;
@@ -12,14 +12,14 @@ function isRelativeUrlWithoutProtocol(url: string): boolean {
 
 // adapted from https://stackoverflow.com/a/29824550/2601552
 function decodeHtmlCharacters(str: string) {
-  str = str.replace(htmlTabEntityRegex, "&#9;");
   return str.replace(htmlEntitiesRegex, (match, dec) => {
     return String.fromCharCode(dec);
   });
 }
 
 export function sanitizeUrl(url?: string): string {
   const sanitizedUrl = decodeHtmlCharacters(url || "")
+    .replace(htmlCtrlEntityRegex, "")
     .replace(ctrlCharactersRegex, "")
     .trim();