Skip to content

Commit

Permalink
Add recursive decode HTML characters
Browse files Browse the repository at this point in the history
  • Loading branch information
@jplukarski
jplukarski committed Mar 6, 2024
1 parent 93f1c59 commit 3cb3d2a
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 6 deletions.
2 changes: 2 additions & 0 deletions src/__tests__/index.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,8 @@ describe("sanitizeUrl", () => {
"  javascript:alert('XSS');",
"javasc	ript: alert('XSS');",
"javasc&#\u0000x09;ript:alert(1)",
"java&&#78&#59;ewLine&newline&#59;&#59;script:alert('XSS')",
"java&NewLine&newline;;script:alert('XSS')",
];

attackVectors.forEach((vector) => {
Expand Down
19 changes: 13 additions & 6 deletions src/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,19 @@ export function sanitizeUrl(url?: string): string {
if (!url) {
return BLANK_URL;
}

const sanitizedUrl = decodeHtmlCharacters(url)
.replace(htmlCtrlEntityRegex, "")
.replace(ctrlCharactersRegex, "")
.trim();

let charsToDecode;
let decodedUrl = url;
do {
decodedUrl = decodeHtmlCharacters(decodedUrl)
.replace(htmlCtrlEntityRegex, "")
.replace(ctrlCharactersRegex, "")
.trim();
charsToDecode =
decodedUrl.match(ctrlCharactersRegex) ||
decodedUrl.match(htmlEntitiesRegex) ||
decodedUrl.match(htmlCtrlEntityRegex);
} while (charsToDecode && charsToDecode.length > 0);
const sanitizedUrl = decodedUrl;
if (!sanitizedUrl) {
return BLANK_URL;
}
Expand Down

0 comments on commit 3cb3d2a

Please sign in to comment.