Merge tag '4.19.1' into 5.x

wesleytodd · wesleytodd · commit 60fb1d2acd7f · 2024-03-20T21:17:26.000-05:00
4.19.1
diff --git a/History.md b/History.md
@@ -1,7 +1,7 @@
 5.x
 ===
 
-This incorporates all changes after 4.17.2 up to 4.17.3.
+This incorporates all changes after 4.17.2 up to 4.19.1.
 
 5.0.0-beta.1 / 2022-02-14
 =========================
@@ -162,7 +162,12 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
   * add:
     - `app.router` is a reference to the base router
 
-4.18.3 / 2024-03-20
+4.19.1 / 2024-03-20
+==========
+
+  * Allow passing non-strings to res.location with new encoding handling checks
+
+4.19.0 / 2024-03-20
 ==========
 
   * Prevent open redirect allow list bypass due to encodeurl
diff --git a/lib/response.js b/lib/response.js
@@ -773,7 +773,7 @@ res.cookie = function (name, value, options) {
  */
 
 res.location = function location(url) {
-  var loc = url;
+  var loc = String(url);
 
   // "back" is an alias for the referrer
   if (url === 'back') {
diff --git a/test/res.location.js b/test/res.location.js
@@ -58,7 +58,7 @@ describe('res', function(){
       });
 
       request(app)
-        .get('/?q=http://google.com\\@apple.com')
+        .get('/?q=http://google.com' + encodeURIComponent('\\@apple.com'))
         .expect(200)
         .expect('Location', 'http://google.com\\@apple.com')
         .end(function (err) {
@@ -68,7 +68,7 @@ describe('res', function(){
 
           // This ensures that our protocol check is case insensitive
           request(app)
-            .get('/?q=HTTP://google.com\\@apple.com')
+            .get('/?q=HTTP://google.com' + encodeURIComponent('\\@apple.com'))
             .expect(200)
             .expect('Location', 'HTTP://google.com\\@apple.com')
             .end(done)
@@ -145,5 +145,20 @@ describe('res', function(){
         .expect(200, done)
       })
     })
+
+    if (typeof URL !== 'undefined') {
+      it('should accept an instance of URL', function (done) {
+        var app = express();
+
+        app.use(function(req, res){
+          res.location(new URL('http://google.com/')).end();
+        });
+
+        request(app)
+          .get('/')
+          .expect('Location', 'http://google.com/')
+          .expect(200, done);
+      });
+    }
   })
 })
