rusackas commented on PR #40622: URL: https://github.com/apache/superset/pull/40622#issuecomment-4617797234
Good catch, thanks @rebenitez1802 — you are absolutely right. `.trim()` and the `/\s/` replace only cover whitespace, so a leading non-whitespace C0 control like `0x01javascript:` slipped straight through while browsers (per the WHATWG URL parser) strip it before resolving the scheme. Fixed in 461f40e: I now strip the full `0x00-0x20` range (leading and trailing, matching browser URL parsing — this also subsumes the old `.trim()`) and strip the same range when normalizing the scheme for the blocklist comparison. Added test cases covering leading `0x00`/`0x01`/`0x1f` and a control char embedded inside the scheme. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
