From f8210844355a38deb4ba83b3126860044fb58536 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Tyrkk=C3=B6?= <Marcholio@users.noreply.github.com>
Date: Sat, 30 Oct 2021 12:34:38 +0300
Subject: [PATCH] fix(unescape): fixed bug where intermediate string contains
 escaped characters (#1835)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Fixed bug where intermediate string contains escaped characters

* Added reference to issue

Co-authored-by: Markus Tyrkkö <markus.tyrkko@nitor.com>
Co-authored-by: Markus <markus.tyrkko@gmail.com>
---
 src/lib/unescape.js | 9 ++++++---
 test/sanitizers.js  | 3 +++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/lib/unescape.js b/src/lib/unescape.js
index 213a0f70b..feb255ac0 100644
--- a/src/lib/unescape.js
+++ b/src/lib/unescape.js
@@ -2,12 +2,15 @@ import assertString from './util/assertString';
 
 export default function unescape(str) {
   assertString(str);
-  return (str.replace(/&amp;/g, '&')
-    .replace(/&quot;/g, '"')
+  return (str.replace(/&quot;/g, '"')
     .replace(/&#x27;/g, "'")
     .replace(/&lt;/g, '<')
     .replace(/&gt;/g, '>')
     .replace(/&#x2F;/g, '/')
     .replace(/&#x5C;/g, '\\')
-    .replace(/&#96;/g, '`'));
+    .replace(/&#96;/g, '`')
+    .replace(/&amp;/g, '&'));
+  // &amp; replacement has to be the last one to prevent
+  // bugs with intermediate strings containing escape sequences
+  // See: https://github.com/validatorjs/validator.js/issues/1827
 }
diff --git a/test/sanitizers.js b/test/sanitizers.js
index 00ec35ab9..ecb0e128f 100644
--- a/test/sanitizers.js
+++ b/test/sanitizers.js
@@ -184,6 +184,9 @@ describe('Sanitizers', () => {
 
         'Backtick: &#96;':
             'Backtick: `',
+
+        'Escaped string: &amp;lt;':
+            'Escaped string: &lt;',
       },
     });
   });