From bd9bc06d2bff26d1a9c83662e3453d0770da0f23 Mon Sep 17 00:00:00 2001
From: Andreas Lind <andreaslindpetersen@gmail.com>
Date: Thu, 26 Jul 2018 00:05:40 +0200
Subject: [PATCH] Avoid unescaping %uXXXX in iso-8859-1 mode

https://github.com/ljharb/qs/pull/268#discussion_r203587389
---
 lib/utils.js  | 3 ++-
 test/parse.js | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index 2c37309b..747f9460 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -110,7 +110,8 @@ var assign = function assignSingleSource(target, source) {
 var decode = function (str, decoder, charset) {
     var strWithoutPlus = str.replace(/\+/g, ' ');
     if (charset === 'iso-8859-1') {
-        return unescape(strWithoutPlus); // Cannot throw
+        // unescape never throws, no try...catch needed:
+        return strWithoutPlus.replace(/%[0-9a-f]{2}/gi, unescape);
     }
     // utf-8
     try {
diff --git a/test/parse.js b/test/parse.js
index 83263d8f..eff07e09 100644
--- a/test/parse.js
+++ b/test/parse.js
@@ -627,5 +627,10 @@ test('parse()', function (t) {
         st.end();
     });
 
+    t.test('does not interpret %uXXXX syntax in iso-8859-1 mode', function (st) {
+        st.deepEqual(qs.parse('%u263A=%u263A', { charset: 'iso-8859-1' }), { '%u263A': '%u263A' });
+        st.end();
+    });
+
     t.end();
 });