Detect null/ctrl chars

closes #30
author: RblSb <msrblsb@gmail.com> 2021-09-03 12:06:53 +0300
committer: RblSb <msrblsb@gmail.com> 2021-09-03 12:06:53 +0300
commit: 97f9a66a3dc13aa4d56eeb7131f0706e2a20a9dd (patch)
tree: cd1a50ed526eb9f1028f0c64c8ce5f7ef6c61060 /src/server/HttpServer.hx
parent: d21b5da50cf24de64581cfc78ce46533faad0e86 (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/src/server/HttpServer.hx b/src/server/HttpServer.hx
index c4853ee..7f257a4 100644
--- a/src/server/HttpServer.hx
+++ b/src/server/HttpServer.hx
@@ -50,7 +50,7 @@ class HttpServer {
 	}
 
 	public static function serveFiles(req:IncomingMessage, res:ServerResponse):Void {
-		var url = decodeURI(req.url);
+		var url = safeDecodeURI(req.url);
 		if (url == "/") url = "/index.html";
 		var filePath = dir + url;
 		final ext = Path.extension(filePath).toLowerCase();
@@ -183,7 +183,7 @@ class HttpServer {
 		fn:(req:IncomingMessage) -> Bool
 	):Null<ClientRequest> {
 		final url = try {
-			new URL(decodeURI(url));
+			new URL(safeDecodeURI(url));
 		} catch (e) return null;
 		if (url.host == req.headers["host"]) return null;
 		final options = {
@@ -216,6 +216,16 @@ class HttpServer {
 		return contentType;
 	}
 
+	static final ctrlCharacters = ~/[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/g;
+
+	static function safeDecodeURI(data:String):String {
+		try {
+			data = decodeURI(data);
+		} catch (err) {}
+		data = ctrlCharacters.replace(data, "");
+		return data;
+	}
+
 	static inline function decodeURI(data:String):String {
 		return js.Syntax.code("decodeURI({0})", data);
 	}
author	RblSb <msrblsb@gmail.com>	2021-09-03 12:06:53 +0300
committer	RblSb <msrblsb@gmail.com>	2021-09-03 12:06:53 +0300
commit	97f9a66a3dc13aa4d56eeb7131f0706e2a20a9dd (patch)
tree	cd1a50ed526eb9f1028f0c64c8ce5f7ef6c61060 /src/server/HttpServer.hx
parent	d21b5da50cf24de64581cfc78ce46533faad0e86 (diff)