1
0
Fork 0
forked from svrjs/svrjs

URL sanitizer function now uses less regular expression replacements.

This commit is contained in:
Dorian Niemiec 2024-02-28 21:43:43 +01:00
parent c3aba19ca3
commit ae630a1625

8
svr.js
View file

@ -1311,11 +1311,11 @@ function sanitizeURL(resource) {
// Convert backslashes to slashes and remove duplicate slashes // Convert backslashes to slashes and remove duplicate slashes
sanitizedResource = sanitizedResource.replace(/\\/g, "/").replace(/\/+/g, "/"); sanitizedResource = sanitizedResource.replace(/\\/g, "/").replace(/\/+/g, "/");
// Handle relative navigation (e.g., "/./", "/../", "../", "./"), also remove trailing dots in paths // Handle relative navigation (e.g., "/./", "/../", "../", "./"), also remove trailing dots in paths
sanitizedResource = sanitizedResource.replace(/\/\.(?:\.{2,})?(?=($|\/))/g, "$1").replace(/([^.\/])\.+(?=($|\/))/g, "$1$2").replace(/\/+/g, "/"); sanitizedResource = sanitizedResource.replace(/\/\.(?:\.{2,})?(?=$|\/)/g, "").replace(/([^.\/])\.+(?=$|\/)/g, "$1");
while (sanitizedResource.match(/\/(?!\.\.\/)[^\/]+\/\.\.(?=(\/|$))/g)) { while (sanitizedResource.match(/\/(?!\.\.\/)[^\/]+\/\.\.(?=\/|$)/g)) {
sanitizedResource = sanitizedResource.replace(/\/(?!\.\.\/)[^\/]+\/\.\.(?=(\/|$))/g, "$1").replace(/\/+/g, "/"); sanitizedResource = sanitizedResource.replace(/\/(?!\.\.\/)[^\/]+\/\.\.(?=\/|$)/g, "");
} }
sanitizedResource = sanitizedResource.replace(/\/\.\.(?=(\/|$))/g, "$1").replace(/\/+/g, "/"); sanitizedResource = sanitizedResource.replace(/\/\.\.(?=\/|$)/g, "");
if (sanitizedResource.length == 0) return "/"; if (sanitizedResource.length == 0) return "/";
else return sanitizedResource; else return sanitizedResource;
} }