Valid urls are sometimes corrupted by secure handlebars

[masumsoft]

Say the url variable has a value like the following:

https://www.youtube.com/attribution_link?a=VpG9_JLmyoY&u=%2Fwatch%3Fv%3DO0Wxve2rbDw%26feature%3Dshare

Now using the url variable in the handlebars corrupts the url:

<a href="{{url}}">something</a> 

The above url becomes corrupt by means of double urlencoding in one of it's get params like the following:

https://www.youtube.com/attribution_link?a=VpG9_JLmyoY&u=%252Fwatch%253Fv%253DO0Wxve2rbDw%2526feature%253Dshare

[adon-at-work]

A quick fix to the aforementioned issue is to apply a filter that does: str.replace(/%25([A-Fa-f0-9]{2})/g, '%$1'); to remove double URL encoding after calling encodeURI in: https://github.com/yahoo/xss-filters/blob/master/src/xss-filters.js#L326