fix URL contextual auto-escapping preventing good URL protocols

straker · Feb 3, 2017 · 872c5d0 · 872c5d0
1 parent ffd826f
commit 872c5d0
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -306,7 +306,7 @@ if (typeof window.html === 'undefined') {
                   // the entire url (will not allow any 'javascript:' or filter
                   // evasion techniques)
                   if (offset === 0 && substitutionValue.indexOf(':') !== -1) {
-                    let protocol = substitutionValue.substring(index-5, index);
+                    let protocol = substitutionValue.substring(0, 5);
                     if (protocol.indexOf('http') === -1) {
                       isRejected = true;
                     }

diff --git a/test/xss.test.js b/test/xss.test.js
@@ -151,4 +151,17 @@ describe('XSS Attack Vectors', function() {
     expect(el.getAttribute('href').indexOf('/bar')).to.equal(-1);
   });
 
+  it('should allow a URL if it has a safe protocol', function() {
+    var protocol = 'http://localhost:500';
+    var value = '/foo?id=true';
+    var el = html`<a href="${protocol}/bar${value}">`;
+
+    expect(el.getAttribute('href')).to.equal('http://localhost:500/bar/foo?id=true');
+
+    var protocol = 'https://localhost:500';
+    var el = html`<a href="${protocol}/bar${value}">`;
+
+    expect(el.getAttribute('href')).to.equal('https://localhost:500/bar/foo?id=true');
+  });
+
 });