Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Handle backslashes like Node.js and Chrome
[RFC 2396][] section 2.4.3 puts backslashes (`\`) in the "unwise" list of characters that aren't allowed in URIs. However, IE, Opera and Chrome normalize backslashes to slashes (`/`), as noted in [Chromium][]. Since URI.js doesn't do this, it creates possible vulnerabilities. For example: ```js var page = URI(window.location.href); var redirect = URI(page.search(true).redirect_uri); if (page.domain() === redirect.domain()) { window.location = redirect.href(); } ``` This logic will work fine, except when `redirect` has backslashes in the host, e.g. ``` http://i.xss.com\www.example.org/foo ``` In this case, you'll get: ```js URI("http://www.example.org").domain(); // example.org URI("http://i.xss.com\\www.example.org/foo").domain(); // example.org ``` ...yet the browsers will redirect you to ``` http://i.xss.com/www.example.org/foo ``` which could be a phishing site. The supplied change simply replaces all backslashes before the query/hash with slashes. This workaround is also in [Node][Node]. [RFC 2396]: https://www.ietf.org/rfc/rfc2396.txt [Chromium]: https://code.google.com/p/chromium/issues/detail?id=25916 [Node]: https://github.com/joyent/node/blob/386fd24f49b0e9d1a8a076592a404168faeecc34/lib/url.js#L115-L124
- Loading branch information