Currently, invalid Punycode such as ls8h= will be successfully decoded. It should fail instead.
I think this comes about because basicToDigit was copied from C code in the punycode RFC, but that RFC uses unsigned integers, whereas JS only has signed integers (AFAIK). We need to check that the result of, say, codePoint - 0x30 is not negative -- or, as done here, check that codePoint >= 0x30.
Currently, invalid Punycode such as
ls8h=
will be successfully decoded. It should fail instead.I think this comes about because
basicToDigit
was copied from C code in the punycode RFC, but that RFC uses unsigned integers, whereas JS only has signed integers (AFAIK). We need to check that the result of, say,codePoint - 0x30
is not negative -- or, as done here, check thatcodePoint >= 0x30
.