1
0
Fork 0
forked from svrjs/svrjs

Change lookahead token order in two URL sanitation regular expressions

This commit is contained in:
Dorian Niemiec 2024-02-28 21:45:47 +01:00
parent ae630a1625
commit bd5ab63954

2
svr.js
View file

@ -1311,7 +1311,7 @@ function sanitizeURL(resource) {
// Convert backslashes to slashes and remove duplicate slashes // Convert backslashes to slashes and remove duplicate slashes
sanitizedResource = sanitizedResource.replace(/\\/g, "/").replace(/\/+/g, "/"); sanitizedResource = sanitizedResource.replace(/\\/g, "/").replace(/\/+/g, "/");
// Handle relative navigation (e.g., "/./", "/../", "../", "./"), also remove trailing dots in paths // Handle relative navigation (e.g., "/./", "/../", "../", "./"), also remove trailing dots in paths
sanitizedResource = sanitizedResource.replace(/\/\.(?:\.{2,})?(?=$|\/)/g, "").replace(/([^.\/])\.+(?=$|\/)/g, "$1"); sanitizedResource = sanitizedResource.replace(/\/\.(?:\.{2,})?(?=\/|$)/g, "").replace(/([^.\/])\.+(?=\/|$)/g, "$1");
while (sanitizedResource.match(/\/(?!\.\.\/)[^\/]+\/\.\.(?=\/|$)/g)) { while (sanitizedResource.match(/\/(?!\.\.\/)[^\/]+\/\.\.(?=\/|$)/g)) {
sanitizedResource = sanitizedResource.replace(/\/(?!\.\.\/)[^\/]+\/\.\.(?=\/|$)/g, ""); sanitizedResource = sanitizedResource.replace(/\/(?!\.\.\/)[^\/]+\/\.\.(?=\/|$)/g, "");
} }