(url)
| 39 | } |
| 40 | |
| 41 | export function sanitizeUrl(url) { |
| 42 | if (typeof url !== "string" || url.trim() === "") { |
| 43 | return "" |
| 44 | } |
| 45 | |
| 46 | const urlTrimmed = url.trim() |
| 47 | const blankURL = "about:blank" |
| 48 | |
| 49 | try { |
| 50 | const base = `https://base${String(Math.random()).slice(2)}` |
| 51 | const urlObject = new URL(urlTrimmed, base) |
| 52 | const scheme = urlObject.protocol.slice(0, -1) |
| 53 | |
| 54 | // check for invalid schemes |
| 55 | if (["javascript", "data", "vbscript"].includes(scheme.toLowerCase())) { |
| 56 | return blankURL |
| 57 | } |
| 58 | |
| 59 | // return sanitized URI reference |
| 60 | if (urlObject.origin === base) { |
| 61 | if (urlTrimmed.startsWith("/")) { |
| 62 | return `${urlObject.pathname}${urlObject.search}${urlObject.hash}` |
| 63 | } |
| 64 | |
| 65 | // Handle relative paths (./path, ../path, ./../../path, etc.) |
| 66 | if (urlTrimmed.startsWith("./") || urlTrimmed.startsWith("../")) { |
| 67 | const relativePath = urlTrimmed.match(/^(\.\.?\/)+/)[0] |
| 68 | const remainingPath = urlObject.pathname.substring(1) |
| 69 | return `${relativePath}${remainingPath}${urlObject.search}${urlObject.hash}` |
| 70 | } |
| 71 | |
| 72 | return `${urlObject.pathname.substring(1)}${urlObject.search}${urlObject.hash}` |
| 73 | } |
| 74 | |
| 75 | return String(urlObject) |
| 76 | } catch { |
| 77 | return blankURL |
| 78 | } |
| 79 | } |
no outgoing calls
no test coverage detected
searching dependent graphs…