fix: remove newline entities

CHANGELOG.md

@@ -1,5 +1,8 @@
 # CHANGELOG
 
+## unreleased
+- Fix issue where urls in the form `https://example.com

/something` were not properly sanitized
+
 ## 6.0.1
 
 - Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized

src/__tests__/test.ts

@@ -92,6 +92,12 @@ describe("sanitizeUrl", () => {
     );
   });
 
+  it("removes newline entities from urls", () => {
+    expect(sanitizeUrl("https://example.com

/something")).toBe(
+      "https://example.com/something"
+    );
+  });
+
   it("decodes html entities", () => {
     // all these decode to javascript:alert('xss');
     const attackVectors = [

src/index.ts

@@ -1,6 +1,6 @@
 const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im;
 const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
-const htmlTabEntityRegex = /&tab;/gi;
+const htmlCtrlEntityRegex = /&(newline|tab);/gi;
 const ctrlCharactersRegex =
   /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
 const urlSchemeRegex = /^.+(:|:)/gim;
@@ -12,14 +12,14 @@ function isRelativeUrlWithoutProtocol(url: string): boolean {
 
 // adapted from https://stackoverflow.com/a/29824550/2601552
 function decodeHtmlCharacters(str: string) {
-  str = str.replace(htmlTabEntityRegex, "	");
   return str.replace(htmlEntitiesRegex, (match, dec) => {
     return String.fromCharCode(dec);
   });
 }
 
 export function sanitizeUrl(url?: string): string {
   const sanitizedUrl = decodeHtmlCharacters(url || "")
+    .replace(htmlCtrlEntityRegex, "")
     .replace(ctrlCharactersRegex, "")
     .trim();