Fix html entity tab (#45)

kniemasik · crookedneighbor · web-flow · commit d4bdc89f1743 · 2022-10-20T15:12:27.000-07:00
* fix: correct urls that did not sanitize html encoded colons

* fix: replace html encoded tabs

* update CHANGELOG.md

Co-authored-by: Blade Barringer &lt;blade.barringer@paypal.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # CHANGELOG
 
+## unreleased
+
+- Fix issue where urls in the form `javascript&colon;alert('xss');` were not properly sanitized
+- Fix issue where urls in the form `javasc&Tab;ript:alert('XSS');` were not properly sanitized
+
 ## 6.0.0
 
 **Breaking Changes**
diff --git a/src/__tests__/test.ts b/src/__tests__/test.ts
@@ -100,6 +100,7 @@ describe("sanitizeUrl", () => {
       "&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29",
       "jav&#x09;ascript:alert('XSS');",
       " &#14; javascript:alert('XSS');",
+      "javasc&Tab;ript: alert('XSS');",
     ];
 
     attackVectors.forEach((vector) => {
@@ -136,6 +137,15 @@ describe("sanitizeUrl", () => {
         );
       });
 
+      it(`disallows ${protocol} urls that use &colon; for the colon portion of the url`, () => {
+        expect(sanitizeUrl(`${protocol}&colon;alert(document.domain)`)).toBe(
+          "about:blank"
+        );
+        expect(sanitizeUrl(`${protocol}&COLON;alert(document.domain)`)).toBe(
+          "about:blank"
+        );
+      });
+
       it(`disregards capitalization for ${protocol} urls`, () => {
         // upper case every other letter in protocol name
         const mixedCapitalizationProtocol = protocol
diff --git a/src/index.ts b/src/index.ts
@@ -1,8 +1,9 @@
 const invalidProtocolRegex = /^([^\w]*)(javascript|data|vbscript)/im;
 const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
+const htmlTabEntityRegex = /&tab;/gi;
 const ctrlCharactersRegex =
   /[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim;
-const urlSchemeRegex = /^([^:]+):/gm;
+const urlSchemeRegex = /^.+(:|&colon;)/gim;
 const relativeFirstCharacters = [".", "/"];
 
 function isRelativeUrlWithoutProtocol(url: string): boolean {
@@ -11,6 +12,7 @@ function isRelativeUrlWithoutProtocol(url: string): boolean {
 
 // adapted from https://stackoverflow.com/a/29824550/2601552
 function decodeHtmlCharacters(str: string) {
+  str = str.replace(htmlTabEntityRegex, "&#9;");
   return str.replace(htmlEntitiesRegex, (match, dec) => {
     return String.fromCharCode(dec);
   });
