Fix #3270 Escape url.parse delims

Rather than omitting them.
nodejs · May 16, 2012 · 9fc7283 · 9fc7283
1 parent c393853
commit 9fc7283
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 38 deletions.
diff --git a/lib/url.js b/lib/url.js
@@ -32,12 +32,16 @@ exports.format = urlFormat;
 // compiled once on the first module load.
 var protocolPattern = /^([a-z0-9.+-]+:)/i,
     portPattern = /:[0-9]*$/,
+
     // RFC 2396: characters reserved for delimiting URLs.
+    // We actually just auto-escape these.
     delims = ['<', '>', '"', '`', ' ', '\r', '\n', '\t'],
+
     // RFC 2396: characters not allowed for various reasons.
     unwise = ['{', '}', '|', '\\', '^', '~', '`'].concat(delims),
+
     // Allowed by RFCs, but cause of XSS attacks.  Always escape these.
-    autoEscape = ['\''],
+    autoEscape = ['\''].concat(delims),
     // Characters that are never ever allowed in a hostname.
     // Note that any invalid chars are also handled, but these
     // are the ones that are *expected* to be seen, so we fast-path
@@ -95,13 +99,9 @@ function urlParse(url, parseQueryString, slashesDenoteHost) {
   var out = {},
       rest = url;
 
-  // cut off any delimiters.
-  // This is to support parse stuff like "<http://foo.com>"
-  for (var i = 0, l = rest.length; i < l; i++) {
-    if (delims.indexOf(rest.charAt(i)) === -1) break;
-  }
-  if (i !== 0) rest = rest.substr(i);
-
+  // trim before proceeding.
+  // This is to support parse stuff like "  http://foo.com  \n"
+  rest = rest.trim();
 
   var proto = protocolPattern.exec(rest);
   if (proto) {
@@ -271,16 +271,6 @@ function urlParse(url, parseQueryString, slashesDenoteHost) {
       }
       rest = rest.split(ae).join(esc);
     }
-
-    // Now make sure that delims never appear in a url.
-    var chop = rest.length;
-    for (var i = 0, l = delims.length; i < l; i++) {
-      var c = rest.indexOf(delims[i]);
-      if (c !== -1) {
-        chop = Math.min(c, chop);
-      }
-    }
-    rest = rest.substr(0, chop);
   }