Merge pull request #61 from braintree/LI-16155-Null-Byte

Sanitize Null Byte Prior to HTML Decoding
braintree · Aug 2, 2023 · 69c1767 · 69c1767
2 parents 5641cbf + d98e430
commit 69c1767
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## UNRELEASED
+
+- Add additional null byte sanitization prior to html decoding (#48)
+
 ## 6.0.3
 
 - Add null check to beginning of `sanitizeUrl` function ([#54](https://github.com/braintree/sanitize-url/issues/54))

diff --git a/src/__tests__/index.test.ts b/src/__tests__/index.test.ts
@@ -107,6 +107,7 @@ describe("sanitizeUrl", () => {
       "jav&#x09;ascript:alert('XSS');",
       " &#14; javascript:alert('XSS');",
       "javasc&Tab;ript: alert('XSS');",
+      "javasc&#\u0000x09;ript:alert(1)",
     ];
 
     attackVectors.forEach((vector) => {

diff --git a/src/index.ts b/src/index.ts
@@ -14,7 +14,8 @@ function isRelativeUrlWithoutProtocol(url: string): boolean {
 
 // adapted from https://stackoverflow.com/a/29824550/2601552
 function decodeHtmlCharacters(str: string) {
-  return str.replace(htmlEntitiesRegex, (match, dec) => {
+  const removedNullByte = str.replace(ctrlCharactersRegex, "");
+  return removedNullByte.replace(htmlEntitiesRegex, (match, dec) => {
     return String.fromCharCode(dec);
   });
 }