From 11555820d65ff7ad53538709418f3e322742b1fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20Tyrkk=C3=B6?= Date: Fri, 29 Oct 2021 13:04:18 +0300 Subject: [PATCH 1/2] Fixed bug where intermediate string contains escaped characters --- src/lib/unescape.js | 6 +++--- test/sanitizers.js | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/lib/unescape.js b/src/lib/unescape.js index 213a0f70b..a8b13cee9 100644 --- a/src/lib/unescape.js +++ b/src/lib/unescape.js @@ -2,12 +2,12 @@ import assertString from './util/assertString'; export default function unescape(str) { assertString(str); - return (str.replace(/&/g, '&') - .replace(/"/g, '"') + return (str.replace(/"/g, '"') .replace(/'/g, "'") .replace(/</g, '<') .replace(/>/g, '>') .replace(///g, '/') .replace(/\/g, '\\') - .replace(/`/g, '`')); + .replace(/`/g, '`') + .replace(/&/g, '&')); } diff --git a/test/sanitizers.js b/test/sanitizers.js index 00ec35ab9..ecb0e128f 100644 --- a/test/sanitizers.js +++ b/test/sanitizers.js @@ -184,6 +184,9 @@ describe('Sanitizers', () => { 'Backtick: `': 'Backtick: `', + + 'Escaped string: &lt;': + 'Escaped string: <', }, }); }); From d799421ce332cd689da5a6c42fe2447e7dbf51fc Mon Sep 17 00:00:00 2001 From: Markus Date: Sat, 30 Oct 2021 10:28:15 +0300 Subject: [PATCH 2/2] Added reference to issue --- src/lib/unescape.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lib/unescape.js b/src/lib/unescape.js index a8b13cee9..feb255ac0 100644 --- a/src/lib/unescape.js +++ b/src/lib/unescape.js @@ -10,4 +10,7 @@ export default function unescape(str) { .replace(/\/g, '\\') .replace(/`/g, '`') .replace(/&/g, '&')); + // & replacement has to be the last one to prevent + // bugs with intermediate strings containing escape sequences + // See: https://github.com/validatorjs/validator.js/issues/1827 }