fix: remove newline entities (#46)

kniemasik · web-flow · commit a39ca113ecf6 · 2022-11-09T14:06:55.000-06:00
* fix: remove newline entities

* strip out tabs and newlines

* not decoding, so just replace

* update changelog
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # CHANGELOG
 
+## unreleased
+- Fix issue where urls in the form `https://example.com&NewLine;&NewLine;/something` were not properly sanitized
+
 ## 6.0.1
 
 - Fix issue where urls in the form `javascript&colon;alert('xss');` were not properly sanitized
diff --git a/src/__tests__/test.ts b/src/__tests__/test.ts
@@ -92,6 +92,12 @@ describe("sanitizeUrl", () => {
     );
   });
 
+  it("removes newline entities from urls", () => {
+    expect(sanitizeUrl("https://example.com&NewLine;&NewLine;/something")).toBe(
+      "https://example.com/something"
+    );
+  });
+
   it("decodes html entities", () => {
     // all these decode to javascript:alert('xss');
     const attackVectors = [
diff --git a/src/index.ts b/src/index.ts
@@ -1,6 +1,6 @@
 const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im;
 const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
-const htmlTabEntityRegex = /&tab;/gi;
+const htmlCtrlEntityRegex = /&(newline|tab);/gi;
 const ctrlCharactersRegex =
   /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
 const urlSchemeRegex = /^.+(:|&colon;)/gim;
@@ -12,14 +12,14 @@ function isRelativeUrlWithoutProtocol(url: string): boolean {
 
 // adapted from https://stackoverflow.com/a/29824550/2601552
 function decodeHtmlCharacters(str: string) {
-  str = str.replace(htmlTabEntityRegex, "&#9;");
   return str.replace(htmlEntitiesRegex, (match, dec) => {
     return String.fromCharCode(dec);
   });
 }
 
 export function sanitizeUrl(url?: string): string {
   const sanitizedUrl = decodeHtmlCharacters(url || "")
+    .replace(htmlCtrlEntityRegex, "")
     .replace(ctrlCharactersRegex, "")
     .trim();
 
