url: Escape all unwise characters

isaacs · isaacs · commit 17a379ec39a3 · 2013-04-12T11:39:28.000-07:00
This makes node's http URL handling logic identical to Chrome's Re nodejs#5284
diff --git a/lib/url.js b/lib/url.js
@@ -57,13 +57,12 @@ var protocolPattern = /^([a-z0-9.+-]+:)/i,
     unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims),
 
     // Allowed by RFCs, but cause of XSS attacks.  Always escape these.
-    autoEscape = ['\''].concat(delims),
+    autoEscape = ['\''].concat(unwise),
     // Characters that are never ever allowed in a hostname.
     // Note that any invalid chars are also handled, but these
     // are the ones that are *expected* to be seen, so we fast-path
     // them.
-    nonHostChars = ['%', '/', '?', ';', '#']
-      .concat(unwise).concat(autoEscape),
+    nonHostChars = ['%', '/', '?', ';', '#'].concat(autoEscape),
     nonAuthChars = ['/', '@', '?', '#'].concat(delims),
     hostnameMaxLen = 255,
     hostnamePartPattern = /^[a-z0-9A-Z_-]{0,63}$/,
diff --git a/test/simple/test-url.js b/test/simple/test-url.js
@@ -741,6 +741,17 @@ var parseTests = {
     'path': '/test',
   },
 
+  'http://x:1/\' <>"`/{}|\\^~`/': {
+    protocol: 'http:',
+    slashes: true,
+    host: 'x:1',
+    port: '1',
+    hostname: 'x',
+    pathname: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/',
+    path: '/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/',
+    href: 'http://x:1/%27%20%3C%3E%22%60/%7B%7D%7C%5C%5E%7E%60/'
+  },
+
 };
 
 for (var u in parseTests) {
