We can Run malicious JS code With special escaping characters for ASCII chars that start with \x
and also all Unicodes start with \u
, like the followings :
CR == > \x0d
and \u000d
LF == > \x0a
and \u000a
TAB ==> \t
and \u0009
and \x09
So there can be many characters that we can’t filter all of them!
I have a good and maybe a perfect fix solution:
parse-parse
use the url = (url || "").replace(/\s/gmi, '')
at this line of code to remove all Whitespace(also the encoded ones) from any part of string.
const http = require("http");
const parseUrl = require("parse-url");
const url = parseUrl('jav\u000Dascript://%0aalert(1)');
console.log(url)
const server = http.createServer((request, response) => {
response.writeHead(200);
if (url.scheme !== "javascript" && url.scheme !== null) {
response.end("<a href>Wowww!</a>" );
}
else{
response.end("Nooo!");
}
});
server.listen(80, "127.0.0.1",function(){
console.log("http://"+this.address().address+":"+this.address().port);
});