fix: decodingURIComponent each sanitize round

braintree · May 9, 2024 · 6c15df9 · 6c15df9
1 parent 15926b6
commit 6c15df9
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/src/__tests__/index.test.ts b/src/__tests__/index.test.ts
@@ -138,6 +138,7 @@ describe("sanitizeUrl", () => {
       "javascrip%255Ctt:alert()",
       "javascrip%25%35Ctt:alert()",
       "javascrip%25%35%43tt:alert()",
+      "javascrip%25%32%35%25%33%35%25%34%33tt:alert()",
     ];
 
     attackVectors.forEach((vector) => {

diff --git a/src/index.ts b/src/index.ts
@@ -34,6 +34,7 @@ export function sanitizeUrl(url?: string): string {
       .replace(ctrlCharactersRegex, "")
       .replace(whitespaceEscapeCharsRegex, "")
       .trim();
+    decodedUrl = decodeURIComponent(decodedUrl);
     charsToDecode =
       decodedUrl.match(ctrlCharactersRegex) ||
       decodedUrl.match(htmlEntitiesRegex) ||