Skip to content
This repository has been archived by the owner on Sep 5, 2018. It is now read-only.

Valid urls are sometimes corrupted by secure handlebars #25

Open
masumsoft opened this issue May 19, 2016 · 1 comment
Open

Valid urls are sometimes corrupted by secure handlebars #25

masumsoft opened this issue May 19, 2016 · 1 comment

Comments

@masumsoft
Copy link

masumsoft commented May 19, 2016

Say the url variable has a value like the following:

https://www.youtube.com/attribution_link?a=VpG9_JLmyoY&u=%2Fwatch%3Fv%3DO0Wxve2rbDw%26feature%3Dshare

Now using the url variable in the handlebars corrupts the url:

<a href="{{url}}">something</a> 

The above url becomes corrupt by means of double urlencoding in one of it's get params like the following:

https://www.youtube.com/attribution_link?a=VpG9_JLmyoY&u=%252Fwatch%253Fv%253DO0Wxve2rbDw%2526feature%253Dshare
@adon-at-work
Copy link
Contributor

adon-at-work commented May 23, 2016

A quick fix to the aforementioned issue is to apply a filter that does:
str.replace(/%25([A-Fa-f0-9]{2})/g, '%$1');
to remove double URL encoding after calling encodeURI in:
https://github.com/yahoo/xss-filters/blob/master/src/xss-filters.js#L326

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants