Bug 1444651 - Port Bug 1395508 to SeaMonkey. r=IanN
authorFrank-Rainer Grahl <frgrahl@gmx.net>
Sun, 11 Mar 2018 20:03:35 +0100
changeset 31270 7c8d66add87f514b65d981ea6bbd4fa581596f80
parent 31269 1cb55e399e917d4f48c2f73a001cd6d1653670f5
child 31271 d6eb1caf9e2d690cc2c5429e573b7beb6bb695a8
push id383
push userclokep@gmail.com
push dateMon, 07 May 2018 21:52:48 +0000
reviewersIanN
bugs1444651, 1395508
Bug 1444651 - Port Bug 1395508 to SeaMonkey. r=IanN
suite/browser/navigator.js
--- a/suite/browser/navigator.js
+++ b/suite/browser/navigator.js
@@ -2195,22 +2195,25 @@ function losslessDecodeURI(aURI) {
       // This only decodes ascii characters (hex) 20-7e, except 25 (%).
       // This avoids both cases stipulated below (%-related issues, and \r, \n
       // and \t, which would be %0d, %0a and %09, respectively) as well as any
       // non-US-ascii characters.
       value = value.replace(/%(2[0-4]|2[6-9a-f]|[3-6][0-9a-f]|7[0-9a-e])/g, decodeURI);
     } else {
       try {
         value = decodeURI(value)
-                  // decodeURI decodes %25 to %, which creates unintended
-                  // encoding sequences. Re-encode it, unless it's part of
-                  // a sequence that survived decodeURI, i.e. one for:
-                  // ';', '/', '?', ':', '@', '&', '=', '+', '$', ',', '#'
-                  // (RFC 3987 section 3.2)
-                  .replace(/%(?!3B|2F|3F|3A|40|26|3D|2B|24|2C|23)/ig,
+                  // 1. decodeURI decodes %25 to %, which creates unintended
+                  //    encoding sequences. Re-encode it, unless it's part of
+                  //    a sequence that survived decodeURI, i.e. one for:
+                  //    ';', '/', '?', ':', '@', '&', '=', '+', '$', ',', '#'
+                  //    (RFC 3987 section 3.2)
+                  // 2. Ee-encode all adjacent whitespace, to prevent spoofing
+                  //    attempts where invisible characters would push part of
+                  //    the URL to overflow the location bar (bug 1395508).
+                  .replace(/%(?!3B|2F|3F|3A|40|26|3D|2B|24|2C|23)|\s(?=\s)|\s$/ig,
                            encodeURIComponent);
       } catch (e) {}
     }
   }
 
   // Encode invisible characters (soft hyphen, zero-width space, BOM,
   // line and paragraph separator, word joiner, invisible times,
   // invisible separator, object replacement character,