search

defunctzombie / node-url

node.js core url module as a module
MIT License
375 stars 96 forks source link

Does protocol casing affect the URL parsing? #32

Open armanm opened 7 years ago

armanm commented 7 years ago

I don't know enough about URL parsing to know if this is the correct behaviour but here is a test case:

const URL = require('url')

URL.parse('javascript:ALERT(DOCUMENT.DOMAIN)').href
// => 'javascript:ALERT(DOCUMENT.DOMAIN)'

URL.parse('JAVASCRIPT:ALERT(DOCUMENT.DOMAIN)').href
// => 'javascript:alert/(DOCUMENT.DOMAIN)'

As you can see in the latter example when protocol is specified in upper case, the href ends up partly lowercased and with an extra slash.

Could someone explain if this is a bug or a correct behaviour?

ljharb commented 3 years ago

In node 6+, i get 'javascript:ALERT(DOCUMENT.DOMAIN)' in both examples. In this module and node < 6, I get the behavior you report.

In other words, this is correct for older node versions, but is incorrect for later ones, so we'll fix this as part of updating the implementation.