[PR #801] [MERGED] fix: normalize URL scheme detection for control characters #855

New issue

Closed

opened 2026-05-06 13:10:29 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:10:29 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/801
Author: @southpolesteve
Created: 4/9/2026
Status: ✅ Merged
Merged: 4/9/2026
Merged by: @southpolesteve

Base: main ← Head: fix/harden-url-scheme-control-chars

📝 Commits (1)

4145e92 fix: normalize dangerous URL scheme detection for control chars

📊 Changes

2 files changed (+61 additions, -12 deletions)

View changed files

📝 packages/vinext/src/shims/url-safety.ts (+27 -4)
📝 tests/url-safety.test.ts (+34 -8)

📄 Description

Summary

Improve URL scheme detection so control-character-obfuscated values are recognized consistently in Link and Form.

Details

The previous detector used a single regex that only matched contiguous scheme names, so values with embedded tab/newline characters or leading C0 controls were not handled consistently.

This change switches to scheme-specific patterns that mirror Next.js's javascript: detector while preserving vinext's broader data: / vbscript: blocking:

Next.js reference: packages/next/src/client/lib/javascript-url.ts
https://github.com/vercel/next.js/blob/canary/packages/next/src/client/lib/javascript-url.ts

Behavior changes covered by tests:

java\nscript: / java\rscript: / java\tscript: are treated as dangerous
leading NUL-prefixed forms are treated as dangerous
plain spaces before the colon are not treated as a valid dangerous scheme
zero-width characters before the colon are not treated as a valid dangerous scheme

Tests

Updated tests/url-safety.test.ts with 38 passing unit tests covering:

existing scheme detection behavior
embedded control-character variants
leading control-character variants
parser edge cases around spaces and zero-width characters before the colon

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/801 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 4/9/2026 **Status:** ✅ Merged **Merged:** 4/9/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/harden-url-scheme-control-chars` --- ### 📝 Commits (1) - [`4145e92`](https://github.com/cloudflare/vinext/commit/4145e925277af71d9ef2211bdccd0698a0bcbb95) fix: normalize dangerous URL scheme detection for control chars ### 📊 Changes **2 files changed** (+61 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/shims/url-safety.ts` (+27 -4) 📝 `tests/url-safety.test.ts` (+34 -8) </details> ### 📄 Description ## Summary Improve URL scheme detection so control-character-obfuscated values are recognized consistently in `Link` and `Form`. ## Details The previous detector used a single regex that only matched contiguous scheme names, so values with embedded tab/newline characters or leading C0 controls were not handled consistently. This change switches to scheme-specific patterns that mirror Next.js's `javascript:` detector while preserving vinext's broader `data:` / `vbscript:` blocking: - Next.js reference: `packages/next/src/client/lib/javascript-url.ts` - https://github.com/vercel/next.js/blob/canary/packages/next/src/client/lib/javascript-url.ts Behavior changes covered by tests: - `java\nscript:` / `java\rscript:` / `java\tscript:` are treated as dangerous - leading NUL-prefixed forms are treated as dangerous - plain spaces before the colon are not treated as a valid dangerous scheme - zero-width characters before the colon are not treated as a valid dangerous scheme ## Tests Updated `tests/url-safety.test.ts` with 38 passing unit tests covering: - existing scheme detection behavior - embedded control-character variants - leading control-character variants - parser edge cases around spaces and zero-width characters before the colon --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>