1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
Description: serialize URL string contents to prevent XSS
Author: Ryan Delaney <ryan@reverecre.com>
Origin: upstream, https://github.com/yahoo/serialize-javascript/commit/f27d65d3
Bug: https://github.com/yahoo/serialize-javascript/pull/173
Bug-Debian: https://bugs.debian.org/1095767
Forwarded: not-needed
Applied-Upstream: 6.0.2, commit:f27d65d3
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2025-04-09
--- a/index.js
+++ b/index.js
@@ -258,7 +258,7 @@
}
if (type === 'L') {
- return "new URL(\"" + urls[valueIndex].toString() + "\")";
+ return "new URL(" + serialize(urls[valueIndex].toString(), options) + ")";
}
var fn = functions[valueIndex];
--- a/test/unit/serialize.js
+++ b/test/unit/serialize.js
@@ -455,8 +455,8 @@
describe('URL', function () {
it('should serialize URL', function () {
var u = new URL('https://x.com/')
- expect(serialize(u)).to.equal('new URL("https://x.com/")');
- expect(serialize({t: [u]})).to.be.a('string').equal('{"t":[new URL("https://x.com/")]}');
+ expect(serialize(u)).to.equal('new URL("https:\\u002F\\u002Fx.com\\u002F")');
+ expect(serialize({t: [u]})).to.be.a('string').equal('{"t":[new URL("https:\\u002F\\u002Fx.com\\u002F")]}');
});
it('should deserialize URL', function () {
@@ -471,6 +471,8 @@
expect(serialize('</script>')).to.equal('"\\u003C\\u002Fscript\\u003E"');
expect(JSON.parse(serialize('</script>'))).to.equal('</script>');
expect(eval(serialize('</script>'))).to.equal('</script>');
+ expect(serialize(new URL('x:</script>'))).to.equal('new URL("x:\\u003C\\u002Fscript\\u003E")');
+ expect(eval(serialize(new URL('x:</script>'))).href).to.equal('x:</script>');
});
});
|
