diff options
author | isaacs <i@izs.me> | 2013-04-12 11:39:28 -0700 |
---|---|---|
committer | isaacs <i@izs.me> | 2013-04-12 11:39:28 -0700 |
commit | 17a379ec39a34408477ac6a43751c1b9b2e952a4 (patch) | |
tree | 47acef703da13b62739c6abe705df543a86158f3 /lib/url.js | |
parent | 061151c5f5e56166c7db0384520b0a5f7efe4161 (diff) | |
download | android-node-v8-17a379ec39a34408477ac6a43751c1b9b2e952a4.tar.gz android-node-v8-17a379ec39a34408477ac6a43751c1b9b2e952a4.tar.bz2 android-node-v8-17a379ec39a34408477ac6a43751c1b9b2e952a4.zip |
url: Escape all unwise characters
This makes node's http URL handling logic identical to Chrome's
Re #5284
Diffstat (limited to 'lib/url.js')
-rw-r--r-- | lib/url.js | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/lib/url.js b/lib/url.js index b8ba3fb1dd..95b72ddd4f 100644 --- a/lib/url.js +++ b/lib/url.js @@ -57,13 +57,12 @@ var protocolPattern = /^([a-z0-9.+-]+:)/i, unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims), // Allowed by RFCs, but cause of XSS attacks. Always escape these. - autoEscape = ['\''].concat(delims), + autoEscape = ['\''].concat(unwise), // Characters that are never ever allowed in a hostname. // Note that any invalid chars are also handled, but these // are the ones that are *expected* to be seen, so we fast-path // them. - nonHostChars = ['%', '/', '?', ';', '#'] - .concat(unwise).concat(autoEscape), + nonHostChars = ['%', '/', '?', ';', '#'].concat(autoEscape), nonAuthChars = ['/', '@', '?', '#'].concat(delims), hostnameMaxLen = 255, hostnamePartPattern = /^[a-z0-9A-Z_-]{0,63}$/, |