this repo has no description
[bskylink] URL-encode apostrophes before HTML escaping (#9559)
authored by
surfdude29
and committed by
GitHub
177bdcd2
2027589c
+11
-1
+11
-1
bskylink/src/html/linkRedirectContents.ts
+11
-1
bskylink/src/html/linkRedirectContents.ts
···
1
1
import escapeHTML from 'escape-html'
2
2
3
3
export function linkRedirectContents(link: string): string {
4
+
// Encode characters that could break out of the single-quoted URL in meta refresh.
5
+
// HTML entity escaping (') is insufficient because the browser decodes entities
6
+
// before the meta refresh parser processes the URL, allowing apostrophes to
7
+
// prematurely terminate the URL string.
8
+
//
9
+
// Example: "They're" with HTML escaping becomes "They're" in HTML, but after
10
+
// the browser decodes the content attribute, the meta refresh parser sees "They're"
11
+
// and interprets the apostrophe as the closing quote, truncating the URL to "They".
12
+
const safeLink = link.replace(/'/g, '%27')
13
+
4
14
return `
5
15
<html>
6
16
<head>
7
-
<meta http-equiv="refresh" content="0; URL='${escapeHTML(link)}'" />
17
+
<meta http-equiv="refresh" content="0; URL='${escapeHTML(safeLink)}'" />
8
18
<meta
9
19
http-equiv="Cache-Control"
10
20
content="no-store, no-cache, must-revalidate, max-age=0" />