Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decode_params doesn't handle decoded % symbol #7515

Closed
dmkret opened this issue Nov 5, 2022 · 1 comment · Fixed by #7521
Closed

decode_params doesn't handle decoded % symbol #7515

dmkret opened this issue Nov 5, 2022 · 1 comment · Fixed by #7521

Comments

@dmkret
Copy link

dmkret commented Nov 5, 2022
edited
Loading

Describe the bug

This function receives record, that contains params, parsed from pathname, which was previously processed with decodeURI.

kit/packages/kit/src/utils/url.js

Lines 58 to 77 in ec601bc

export function decode_params(params) {
for (const key in params) {
// input has already been decoded by decodeURI
// now handle the rest that decodeURIComponent would do
params[key] = params[key]
.replace(/%23/g, '#')
.replace(/%3[Bb]/g, ';')
.replace(/%2[Cc]/g, ',')
.replace(/%2[Ff]/g, '/')
.replace(/%3[Ff]/g, '?')
.replace(/%3[Aa]/g, ':')
.replace(/%40/g, '@')
.replace(/%26/g, '&')
.replace(/%3[Dd]/g, '=')
.replace(/%2[Bb]/g, '+')
.replace(/%24/g, '$');
}
return params;
}

decodeURI decodes %25 as %, but doesn't decodes all symbols (unlike decodeURIComponent). Missed symbols are decoded by decode_params, which is wrong, because decoded % followed by some characters is decoded again.

Reproduction

https://stackblitz.com/edit/sveltejs-kit-template-default-v5eg8a

  1. Click on goto /%25, param: % expected ✅
  2. Click on goto /%2526, param: %26 expected ❌

Logs

No response

System Info

System:
    OS: Linux 5.19 Ubuntu 22.04.1 LTS 22.04.1 LTS (Jammy Jellyfish)
    CPU: (8) x64 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
    Memory: 1.32 GB / 7.45 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
  Binaries:
    Node: 16.18.1 - /usr/local/share/nvm/versions/node/v16.18.1/bin/node
    Yarn: 1.22.19 - /usr/bin/yarn
    npm: 8.19.2 - /usr/local/share/nvm/versions/node/v16.18.1/bin/npm

Severity

annoyance

Additional Information

I'd like to make a PR
@dmkret
Copy link
Author

dmkret commented Nov 5, 2022
edited
Loading

I've found that one of the simple solutions could be:

  1. avoid %25 from decoding:
- decoded = decodeURI(url.pathname);
+ decoded = url.pathname.split('%25').map(decodeURI).join('%25');
  1. use decodeURIComponent inside decode_params:
params[key] = decodeURIComponent(params[key]);

@dmkret dmkret mentioned this issue Nov 6, 2022
Merged
5 tasks
@benmccann benmccann changed the title decode_params doesn't handle decodeded % symbol decode_params doesn't handle decoded % symbol Nov 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[fix] prevent double decoding of params
1 participant
@dmkret