Bug 1444651 - Port Bug 1395508 to SeaMonkey. r=IanN a=IanN RELEASE_BASE_20180312
authorFrank-Rainer Grahl <frgrahl@gmx.net>
Sun, 11 Mar 2018 20:04:40 +0100
changeset 30095 5213294dca3881e02bf54fdc7d123479676adc18
parent 30094 b1c5a47ee0138c07e876921c6e13309c9a9112cc
child 30096 52ac8a90c6e961a8a2779ab7cc77f6438e3453fe
push idunknown
push userunknown
push dateunknown
reviewersIanN, IanN
bugs1444651, 1395508
Bug 1444651 - Port Bug 1395508 to SeaMonkey. r=IanN a=IanN
suite/browser/navigator.js
--- a/suite/browser/navigator.js
+++ b/suite/browser/navigator.js
@@ -2195,22 +2195,25 @@ function losslessDecodeURI(aURI) {
       // This only decodes ascii characters (hex) 20-7e, except 25 (%).
       // This avoids both cases stipulated below (%-related issues, and \r, \n
       // and \t, which would be %0d, %0a and %09, respectively) as well as any
       // non-US-ascii characters.
       value = value.replace(/%(2[0-4]|2[6-9a-f]|[3-6][0-9a-f]|7[0-9a-e])/g, decodeURI);
     } else {
       try {
         value = decodeURI(value)
-                  // decodeURI decodes %25 to %, which creates unintended
-                  // encoding sequences. Re-encode it, unless it's part of
-                  // a sequence that survived decodeURI, i.e. one for:
-                  // ';', '/', '?', ':', '@', '&', '=', '+', '$', ',', '#'
-                  // (RFC 3987 section 3.2)
-                  .replace(/%(?!3B|2F|3F|3A|40|26|3D|2B|24|2C|23)/ig,
+                  // 1. decodeURI decodes %25 to %, which creates unintended
+                  //    encoding sequences. Re-encode it, unless it's part of
+                  //    a sequence that survived decodeURI, i.e. one for:
+                  //    ';', '/', '?', ':', '@', '&', '=', '+', '$', ',', '#'
+                  //    (RFC 3987 section 3.2)
+                  // 2. Ee-encode all adjacent whitespace, to prevent spoofing
+                  //    attempts where invisible characters would push part of
+                  //    the URL to overflow the location bar (bug 1395508).
+                  .replace(/%(?!3B|2F|3F|3A|40|26|3D|2B|24|2C|23)|\s(?=\s)|\s$/ig,
                            encodeURIComponent);
       } catch (e) {}
     }
   }
 
   // Encode invisible characters (soft hyphen, zero-width space, BOM,
   // line and paragraph separator, word joiner, invisible times,
   // invisible separator, object replacement character,