feat: re-handle embedded encoding, add tests

Co-authored-by: Iris Booker <[email protected]>

src/__tests__/index.test.ts

@@ -146,6 +146,23 @@ describe("sanitizeUrl", () => {
       expect(sanitizeUrl(vector)).toBe(BLANK_URL);
     });
   });
+
+  it("backslash prefixed attack vectors", () => {
+    const attackVectors = [
+      "\fjavascript:alert()",
+      "\vjavascript:alert()",
+      "\tjavascript:alert()",
+      "\njavascript:alert()",
+      "\rjavascript:alert()",
+      "\u0000javascript:alert()",
+      "\u0001javascript:alert()",
+      "\j\av\a\s\cript:alert()",
+    ];
+
+    attackVectors.forEach((vector) => {
+      expect(sanitizeUrl(vector)).toBe(BLANK_URL);
+    });
+  });
 
   describe("invalid protocols", () => {
     describe.each(["javascript", "data", "vbscript"])("%s", (protocol) => {

src/index.ts

@@ -29,6 +29,17 @@ function isValidUrl(url: string): boolean {
   }
 }
 
+function decodeURI(uri: string): string {
+  try {
+    return decodeURIComponent(uri);
+  } catch (e: unknown) {
+    // Ignoring error
+    // It is possible that the URI contains a `%` not associated
+    // with URI/URL-encoding.
+    return uri;
+  }
+}
+
 function sanitizeString(str: string): string {
   return str
     .replace(/[^a-zA-Z0-9-_./]/g, '')
@@ -43,14 +54,17 @@ export function sanitizeUrl(url?: string): string {
   }
 
   let charsToDecode;
-  let decodedUrl = url.trim();
+  let decodedUrl = decodeURI(url.trim());
 
   do {
     decodedUrl = decodeHtmlCharacters(decodedUrl)
       .replace(htmlCtrlEntityRegex, "")
       .replace(ctrlCharactersRegex, "")
       .replace(whitespaceEscapeCharsRegex, "")
       .trim();
+
+    decodedUrl = decodeURI(decodedUrl);
+
     charsToDecode =
       decodedUrl.match(ctrlCharactersRegex) ||
       decodedUrl.match(htmlEntitiesRegex) ||