mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-11-28 14:03:48 +03:00
🐛 Fixed malformed URLs crashing the url helper
refs https://github.com/TryGhost/Team/issues/960 - Character like "%%" or "%80" would crash our current url escaping behavior. We consider they aren't valid URLs as the percentages haven't been properly escaped.
This commit is contained in:
parent
ecbdb2284e
commit
77c0364efd
@ -6,6 +6,9 @@
|
||||
|
||||
const {metaData} = require('../services/proxy');
|
||||
const {SafeString} = require('../services/rendering');
|
||||
const logging = require('@tryghost/logging');
|
||||
const sentry = require('../../shared/sentry');
|
||||
const errors = require('@tryghost/errors');
|
||||
|
||||
const {getMetaDataUrl} = metaData;
|
||||
|
||||
@ -13,7 +16,21 @@ module.exports = function url(options) {
|
||||
const absolute = options && options.hash.absolute && options.hash.absolute !== 'false';
|
||||
let outputUrl = getMetaDataUrl(this, absolute);
|
||||
|
||||
try {
|
||||
outputUrl = encodeURI(decodeURI(outputUrl));
|
||||
} catch (err) {
|
||||
// Happens when the outputURL contains an invalid URI character like "%%" or "%80"
|
||||
|
||||
// Send the error not to be blind to these
|
||||
const error = new errors.IncorrectUsageError({
|
||||
message: `The url "${outputUrl}" couldn't be escaped correctly`,
|
||||
err: err
|
||||
});
|
||||
sentry.captureException(error);
|
||||
logging.error(error);
|
||||
|
||||
return new SafeString('');
|
||||
}
|
||||
|
||||
return new SafeString(outputUrl);
|
||||
};
|
||||
|
@ -9,7 +9,7 @@ const url = require('../../../../core/frontend/helpers/url');
|
||||
const urlService = require('../../../../core/server/services/url');
|
||||
const api = require('../../../../core/server/api');
|
||||
|
||||
describe('{{url}} helper', function () {
|
||||
describe.only('{{url}} helper', function () {
|
||||
let rendered;
|
||||
|
||||
beforeEach(function () {
|
||||
@ -267,6 +267,12 @@ describe('{{url}} helper', function () {
|
||||
should.exist(rendered);
|
||||
rendered.string.should.equal('/?foo=space%20bar');
|
||||
});
|
||||
|
||||
it('should an empty string when we can\'t parse a string', function () {
|
||||
rendered = url.call({url: '/?foo=space%%bar', label: 'Baz', slug: 'baz', current: true});
|
||||
should.exist(rendered);
|
||||
rendered.string.should.equal('');
|
||||
});
|
||||
});
|
||||
|
||||
describe('with subdir', function () {
|
||||
|
Loading…
Reference in New Issue
Block a user