Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 32 additions & 25 deletions src/lib/isURL.js
Original file line number Diff line number Diff line change
Expand Up @@ -115,39 +115,46 @@ export default function isURL(url, options) {
const starts_with_slashes = after_colon.slice(0, 2) === '//';

if (!starts_with_slashes) {
const first_slash_position = after_colon.indexOf('/');
const before_slash = first_slash_position === -1
? after_colon
: after_colon.substring(0, first_slash_position);
const at_position = before_slash.indexOf('@');

if (at_position !== -1) {
const before_at = before_slash.substring(0, at_position);
const valid_auth_regex = /^[a-zA-Z0-9\-_.%:]*$/;
const is_valid_auth = valid_auth_regex.test(before_at);

if (is_valid_auth) {
// This looks like authentication (e.g., user:password@host), not a protocol
if (options.require_protocol) {
return false;
const is_port_like = /^[0-9]+(?:[/?#]|$)/.test(after_colon);
if (is_port_like) {
if (options.require_protocol) {
return false;
}
} else {
const first_slash_position = after_colon.indexOf('/');
const before_slash = first_slash_position === -1
? after_colon
: after_colon.substring(0, first_slash_position);
const at_position = before_slash.indexOf('@');

if (at_position !== -1) {
const before_at = before_slash.substring(0, at_position);
const valid_auth_regex = /^[a-zA-Z0-9\-_.%:]*$/;
const is_valid_auth = valid_auth_regex.test(before_at);

if (is_valid_auth) {
// This looks like authentication (e.g., user:password@host), not a protocol
if (options.require_protocol) {
return false;
}

// Don't consume the colon; let the auth parsing handle it later
} else {
// This looks like a malicious protocol (e.g., javascript:alert();@host)
url = cleanUpProtocol(potential_protocol);

if (url === false) {
return false;
}
}

// Don't consume the colon; let the auth parsing handle it later
} else {
// This looks like a malicious protocol (e.g., javascript:alert();@host)
// No @ symbol, this is definitely a protocol
url = cleanUpProtocol(potential_protocol);

if (url === false) {
return false;
}
}
} else {
// No @ symbol, this is definitely a protocol
url = cleanUpProtocol(potential_protocol);

if (url === false) {
return false;
}
}
} else {
// Starts with '//', this is definitely a protocol like http://
Expand Down
1 change: 1 addition & 0 deletions test/validators.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ describe('Validators', () => {
'localhost',
'localhost:3000',
'service-name:8080',
'my-3272-service:9000',
'https://localhost',
'http://localhost:3000',
'http://service-name:8080',
Expand Down
Loading