Currently, invalid Punycode such as ls8h= will be successfully decoded. It should fail instead.
I think this comes about because basicToDigit was copied from C code in the punycode RFC, but that RFC uses unsigned integers, whereas JS only has signed integers (AFAIK). We need to check that the result of, say, codePoint - 0x30 is not negative -- or, as done here, check that codePoint >= 0x30.
Currently, invalid Punycode such as
ls8h=will be successfully decoded. It should fail instead.I think this comes about because
basicToDigitwas copied from C code in the punycode RFC, but that RFC uses unsigned integers, whereas JS only has signed integers (AFAIK). We need to check that the result of, say,codePoint - 0x30is not negative -- or, as done here, check thatcodePoint >= 0x30.