li-38822 fix: handle whitespace escapes

src/__tests__/index.test.ts

@@ -127,6 +127,19 @@ describe("sanitizeUrl", () => {
     ).toBe("https://example.com/javascript:alert('XSS')");
   });
 
+  it("removes whitespace escape sequences", () => {
+    const attackVectors = [
+      "javascri\npt:alert('xss')",
+      "javascri\rpt:alert('xss')",
+      "javascri\tpt:alert('xss')",
+      "javascrip\x74t:alert('XSS')",
+    ];
+
+    attackVectors.forEach((vector) => {
+      expect(sanitizeUrl(vector)).toBe(BLANK_URL);
+    });
+  });
+
   describe("invalid protocols", () => {
     describe.each(["javascript", "data", "vbscript"])("%s", (protocol) => {
       it(`replaces ${protocol} urls with ${BLANK_URL}`, () => {

src/constants.ts

@@ -4,5 +4,6 @@ export const htmlCtrlEntityRegex = /&(newline|tab);/gi;
 export const ctrlCharactersRegex =
   /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
 export const urlSchemeRegex = /^.+(:|:)/gim;
+export const whitespaceEscapeChars = /\\[nrt]/g;
 export const relativeFirstCharacters = [".", "/"];
 export const BLANK_URL = "about:blank";

src/index.ts

@@ -6,6 +6,7 @@ import {
   invalidProtocolRegex,
   relativeFirstCharacters,
   urlSchemeRegex,
+  whitespaceEscapeChars,
 } from "./constants";
 
 function isRelativeUrlWithoutProtocol(url: string): boolean {
@@ -30,11 +31,13 @@ export function sanitizeUrl(url?: string): string {
     decodedUrl = decodeHtmlCharacters(decodedUrl)
       .replace(htmlCtrlEntityRegex, "")
       .replace(ctrlCharactersRegex, "")
+      .replace(whitespaceEscapeChars, "")
       .trim();
     charsToDecode =
       decodedUrl.match(ctrlCharactersRegex) ||
       decodedUrl.match(htmlEntitiesRegex) ||
-      decodedUrl.match(htmlCtrlEntityRegex);
+      decodedUrl.match(htmlCtrlEntityRegex) ||
+      decodedUrl.match(whitespaceEscapeChars);
   } while (charsToDecode && charsToDecode.length > 0);
   const sanitizedUrl = decodedUrl;
   if (!sanitizedUrl) {