JSPM

strip-invalid-trailing-encoding

1.1.1
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 3
  • Score
    100M100P100Q41946F
  • License MIT

Strips improperly truncated percent encodings

Package Exports

  • strip-invalid-trailing-encoding

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (strip-invalid-trailing-encoding) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

strip-invalid-trailing-encoding

Strips improperly truncated percent encodings.

const base = "http://github.com";
const query = `?value=${encodeURIComponent('test ⚡')}`;

const url = base + query; // => "http://github.com?value=test%20%E2%9A%A1"

// Now, something happens and the url gets truncated:
// url = "http://github.com?value=test%20%E2%9A%A"

decodeURIComponent(url); // THROWS ERROR

Truncating "useless" params from a URL happen for any number of reasons. But, it's a problem when you try to decode the values on the server side. If the URL has been improperly truncated, you'll end up with Errors!

Thus, strip-invalid-trailing-encoding, which strips the strips the invalid trailing encodings (yah). It performs the least amount of trimming possible to generate a valid URL:

const strip = require('strip-invalid-trailing-encoding');

strip(url); // => "http://github.com?value=test%20"

Notice that %20 is still in the URL? That's because it's a valid encoding, and we try to only strip the invalid encodings.

strip("value=test%20%E2%9A%A1"); // => "value=test%20%E2%9A%A1"
strip("value=test%20%E2%9A%A");  // => "value=test%20"
strip("value=test%20%E2%9A%");   // => "value=test%20"
strip("value=test%20%E2%9A");    // => "value=test%20"
strip("value=test%20%E2%9");     // => "value=test%20"
strip("value=test%20%E2%");      // => "value=test%20"
strip("value=test%20%E2");       // => "value=test%20"
strip("value=test%20%E");        // => "value=test%20"
strip("value=test%20%");         // => "value=test%20"
strip("value=test%20");          // => "value=test%20"
strip("value=test%2");           // => "value=test"
strip("value=test%");            // => "value=test"
strip("value=test");             // => "value=test"

Caveats

We assume a "good" string that was truncated improperly, and fix that. We do not sanitize the input string in any other way. It is possible for attackers to craft strings that we will not strip.

decodeURIComponent(strip("%A00")); // THROWS ERROR