Skip to content

Commit f605a9c

Browse files
WikiRikWikiRik
authored
fix(isURL): handle possible bypass with URL-encoded content (#2633)
* fix(isURL): handle possible bypass with URL-encoded content * style: fix indentation
1 parent a165ebe commit f605a9c

File tree

2 files changed

+9
-2
lines changed

2 files changed

+9
-2
lines changed

src/lib/isURL.js

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,12 @@ export default function isURL(url, options) {
126126
const valid_auth_regex = /^[a-zA-Z0-9\-_.%:]*$/;
127127
const is_valid_auth = valid_auth_regex.test(before_at);
128128

129-
if (is_valid_auth) {
129+
// Check if this contains URL-encoded content that could be malicious
130+
// For example: javascript:%61%6c%65%72%74%28%31%29@example.com
131+
// The encoded part decodes to: alert(1)
132+
const has_encoded_content = /%[0-9a-fA-F]{2}/.test(before_at);
133+
134+
if (is_valid_auth && !has_encoded_content) {
130135
// This looks like authentication (e.g., user:password@host), not a protocol
131136
if (options.require_protocol) {
132137
return false;
@@ -135,6 +140,7 @@ export default function isURL(url, options) {
135140
// Don't consume the colon; let the auth parsing handle it later
136141
} else {
137142
// This looks like a malicious protocol (e.g., javascript:alert();@host)
143+
// or URL-encoded protocol handler (e.g., javascript:%61%6c%65%72%74%28%31%29@host)
138144
url = cleanUpProtocol(potential_protocol);
139145

140146
if (url === false) {

test/validators.test.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -426,7 +426,6 @@ describe('Validators', () => {
426426
'http://1337.com',
427427
// TODO: those probably should not be marked as valid URLs; CVE-2025-56200
428428
/* eslint-disable no-script-url */
429-
'javascript:%61%6c%65%72%74%28%31%29@example.com',
430429
'http://evil-site.com@example.com/',
431430
'javascript:alert(1)@example.com',
432431
/* eslint-enable no-script-url */
@@ -480,6 +479,8 @@ describe('Validators', () => {
480479
'javascript:var a=1; alert(a);@example.com',
481480
'javascript:alert(1)@user@example.com',
482481
'javascript:alert(1)@example.com?q=safe',
482+
'javascript:%61%6c%65%72%74%28%31%29@example.com',
483+
'javascript:%22@a.com#";alert(origin)//',
483484
'data:text/html,<script>alert(1)</script>@example.com',
484485
'vbscript:msgbox("XSS")@example.com',
485486
'//evil-site.com/path@example.com',

0 commit comments

Comments
 (0)