npm - @remix-run/router - Versions diffs - 1.23.1-pre-v6.0 → 1.23.2-pre-v6.0 - Mend

@remix-run/router 1.23.1-pre-v6.0 → 1.23.2-pre-v6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md +7 -1
package/dist/router.cjs.js +18 -4
package/dist/router.cjs.js.map +1 -1
package/dist/router.js +18 -4
package/dist/router.js.map +1 -1
package/dist/router.umd.js +18 -4
package/dist/router.umd.js.map +1 -1
package/dist/router.umd.min.js +2 -2
package/dist/router.umd.min.js.map +1 -1
package/package.json +1 -1
package/router.ts +33 -3

package/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,12 @@
 # `@remix-run/router`
-## 1.23.1-pre-v6.0
+## 1.23.2-pre-v6.0
+### Patch Changes
+- Validate redirect locations ([#14707](https://github.com/remix-run/react-router/pull/14707))
+## 1.23.1
 ### Patch Changes

package/dist/router.cjs.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
- * @remix-run/router v1.23.1-pre-v6.0
+ * @remix-run/router v1.23.2-pre-v6.0
  *
  * Copyright (c) Remix Software Inc.
  *
@@ -2531,7 +2531,7 @@ function createRouter(init) {
         // If the user didn't explicity indicate replace behavior, replace if
         // we redirected to the exact same location we're currently at to avoid
         // double back-buttons
-        let location = normalizeRedirectLocation(result.response.headers.get("Location"), new URL(request.url), basename);
+        let location = normalizeRedirectLocation(result.response.headers.get("Location"), new URL(request.url), basename, init.history);
         replace = location === state.location.pathname + state.location.search;
       }
       await startRedirectNavigation(request, result, true, {
@@ -3171,7 +3171,7 @@ function createRouter(init) {
     }
     let location = redirect.response.headers.get("Location");
     invariant(location, "Expected a Location header on the redirect Response");
-    location = normalizeRedirectLocation(location, new URL(request.url), basename);
+    location = normalizeRedirectLocation(location, new URL(request.url), basename, init.history);
     let redirectLocation = createLocation(state.location, location, {
       _isRedirect: true
     });
@@ -4954,16 +4954,30 @@ function normalizeRelativeRoutingRedirectResponse(response, request, routeId, ma
   }
   return response;
 }
-function normalizeRedirectLocation(location, currentUrl, basename) {
+function normalizeRedirectLocation(location, currentUrl, basename, historyInstance) {
+  // Match Chrome's behavior:
+  // https://github.com/chromium/chromium/blob/216dbeb61db0c667e62082e5f5400a32d6983df3/content/public/common/url_utils.cc#L82
+  let invalidProtocols = ["about:", "blob:", "chrome:", "chrome-untrusted:", "content:", "data:", "devtools:", "file:", "filesystem:",
+  // eslint-disable-next-line no-script-url
+  "javascript:"];
   if (ABSOLUTE_URL_REGEX.test(location)) {
     // Strip off the protocol+origin for same-origin + same-basename absolute redirects
     let normalizedLocation = location;
     let url = normalizedLocation.startsWith("//") ? new URL(currentUrl.protocol + normalizedLocation) : new URL(normalizedLocation);
+    if (invalidProtocols.includes(url.protocol)) {
+      throw new Error("Invalid redirect location");
+    }
     let isSameBasename = stripBasename(url.pathname, basename) != null;
     if (url.origin === currentUrl.origin && isSameBasename) {
       return url.pathname + url.search + url.hash;
     }
   }
+  try {
+    let url = historyInstance.createURL(location);
+    if (invalidProtocols.includes(url.protocol)) {
+      throw new Error("Invalid redirect location");
+    }
+  } catch (e) {}
   return location;
 }