From bd475a2e8e3b02589ecc6345ddc15124562af6df Mon Sep 17 00:00:00 2001
From: Dorian Niemiec <dorian.niemiec@svrjs.org>
Date: Fri, 18 Aug 2023 21:54:58 +0200
Subject: [PATCH] Fixed redirect loops related to URL sanitizer

---
 config.json |  4 ++--
 svr.js      | 15 +++++++++++----
 views.txt   |  2 +-
 3 files changed, 14 insertions(+), 7 deletions(-)
 mode change 100755 => 100644 svr.js

diff --git a/config.json b/config.json
index b1afe33..3fe6b7d 100644
--- a/config.json
+++ b/config.json
@@ -3,7 +3,7 @@
   "port": 80,
   "pubport": 80,
   "page404": "404.html",
-  "timestamp": 1692387275306,
+  "timestamp": 1692388365140,
   "blacklist": [],
   "nonStandardCodes": [],
   "enableCompression": true,
@@ -89,4 +89,4 @@
   "disableToHTTPSRedirect": false,
   "enableETag": true,
   "disableUnusedWorkerTermination": false
-}
\ No newline at end of file
+}
diff --git a/svr.js b/svr.js
old mode 100755
new mode 100644
index e940103..dded571
--- a/svr.js
+++ b/svr.js
@@ -1077,7 +1077,12 @@ function sanitizeURL(resource) {
   // Decode URL-encoded characters while preserving certain characters
   resource = resource.replace(/%([0-9a-f]{2})/gi, function (match, hex) {
     var decodedChar = String.fromCharCode(parseInt(hex, 16));
-    return /(?![;?:@&=+$,#%])[!-~]/.test(decodedChar) ? decodedChar : "%" + hex;
+    return /(?!["<>^`{|}?#%])[!-~]/.test(decodedChar) ? decodedChar : "%" + hex;
+  });
+  // Encode certain characters
+  resource = resource.replace(/[<>^`{|}]]/g, function (character) {
+    var charCode = character.charCodeAt(0);
+    return "%" + (charcode < 16 ? "0" : "") + charCode.toString(16).toUpperCase();
   });
   var sanitizedResource = resource;
   // Ensure the resource starts with a slash
@@ -1096,14 +1101,16 @@ function sanitizeURL(resource) {
 
 function fixNodeMojibakeURL(string) {
   var encoded = "";
-  Buffer.from(string, "latin1").forEach(function(value) {
+  Buffer.from(string, "latin1").forEach(function (value) {
     if(value > 127) {
       encoded += "%" + (value < 16 ? "0" : "") + value.toString(16).toUpperCase();
     } else {
-      encoded += String.fromCodePoint(value)
+      encoded += String.fromCodePoint(value);
     }
   });
-  return encoded;
+  return encoded.replace(/%[0-9a-f-A-F]{2}/g, function (match) {
+    return match.toUpperCase();
+  });
 }
 
 var key = "";
diff --git a/views.txt b/views.txt
index e440e5c..62f9457 100644
--- a/views.txt
+++ b/views.txt
@@ -1 +1 @@
-3
\ No newline at end of file
+6
\ No newline at end of file