strip ascii tab/newline from urls before protocol check#21433
strip ascii tab/newline from urls before protocol check#21433rootvector2 wants to merge 1 commit into
Conversation
|
|
||
| if (typeof url === 'string') { | ||
| protocol = nodeURL.parse(url).protocol; | ||
| // browsers strip ASCII tab/newline/CR from urls before navigating, so |
There was a problem hiding this comment.
i didn't know this! do you have a link to a spec or something here? or... why don't we use URL's parse?
There was a problem hiding this comment.
It's in the WHATWG URL parser itself: step 2 of the basic URL parser says "Remove all ASCII tab or newline from input," where ASCII tab or newline is U+0009, U+000A, U+000D (https://url.spec.whatwg.org/#url-parsing). So new URL('java\nscript:alert(1)').protocol already comes back as javascript:. Node's legacy url.parse predates that and keeps the characters, so it reports a null protocol instead.
On using URL's parse here: we can't on this branch. This is the fastboot path, and fastboot sets the URL global to node's require('url') module, so URL isn't the WHATWG constructor anymore (that's what the comment above and the weirdURL.parse object check are detecting). The non-fastboot else branch does use new URL() and already gets this for free. Stripping the chars here just mirrors that behavior until fastboot stops shadowing the global.
There was a problem hiding this comment.
so URL isn't the WHATWG constructor anym
would that make node's URL constructor wrong? I already have an RFC around some phrasing around "SSR environments need to properly implement a rendering env"
would love your feedback.
the main goal I have is to remove all non-standard codepaths in the codebase, so that we can:
- be leaner
- force rendering environments to not push their quirks back on to us
There was a problem hiding this comment.
Node's WHATWG URL constructor isn't wrong, it strips those per spec. The non-standard bits are the legacy url.parse and the fact that fastboot swaps the URL global for the old require('url') module, so this branch can't reach the spec-compliant parser. If the RFC gets SSR envs to stop shadowing URL, this whole legacy branch and this patch go away with it, so the direction lines up with what you want. I'll leave some notes on the RFC. Happy to keep this as a stopgap until then.
2 participants
On the fastboot path
findProtocolForURLuses node'surl.parse, which keeps embedded ASCII tab/newline/CR and reports a null protocol for something likejava\nscript:alert(1), so it slips past the badProtocols check and gets serialized into the href untouched. Browsers strip those characters before navigating, so the value runs asjavascript:. The WHATWGURLparser used on the non-fastboot path already drops them, so strip them here too before parsing.