@tanstack/router-core 1.171.12 → 1.171.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/router.cjs +13 -10
- package/dist/cjs/router.cjs.map +1 -1
- package/dist/cjs/router.d.cts +7 -3
- package/dist/cjs/scroll-restoration.cjs +26 -20
- package/dist/cjs/scroll-restoration.cjs.map +1 -1
- package/dist/cjs/utils.cjs +13 -4
- package/dist/cjs/utils.cjs.map +1 -1
- package/dist/esm/router.d.ts +7 -3
- package/dist/esm/router.js +13 -10
- package/dist/esm/router.js.map +1 -1
- package/dist/esm/scroll-restoration.js +26 -20
- package/dist/esm/scroll-restoration.js.map +1 -1
- package/dist/esm/utils.js +13 -4
- package/dist/esm/utils.js.map +1 -1
- package/package.json +1 -1
- package/src/router.ts +39 -16
- package/src/scroll-restoration.ts +39 -29
- package/src/utils.ts +21 -9
package/src/utils.ts
CHANGED
|
@@ -523,15 +523,26 @@ export function findLast<T>(
|
|
|
523
523
|
}
|
|
524
524
|
|
|
525
525
|
/**
|
|
526
|
-
*
|
|
527
|
-
*
|
|
528
|
-
*
|
|
526
|
+
* Re-encode characters that are unsafe in URL paths.
|
|
527
|
+
* Includes ASCII control characters (0x00-0x1F, 0x7F) and a subset of the
|
|
528
|
+
* WHATWG URL "path percent-encode set" (", <, >, `, {, }).
|
|
529
|
+
*
|
|
530
|
+
* Space (0x20) is intentionally excluded — decodeURI decodes %20 to space
|
|
531
|
+
* and the router stores decoded spaces in location.pathname. The existing
|
|
532
|
+
* encodePathLikeUrl already handles re-encoding spaces for outgoing URLs.
|
|
533
|
+
*
|
|
534
|
+
* These characters are decoded by decodeURI but must remain percent-encoded
|
|
535
|
+
* in paths to match how upstream layers (CDNs, edge middleware, browsers)
|
|
536
|
+
* interpret the URL, preventing infinite redirect loops and path mismatches.
|
|
529
537
|
*/
|
|
538
|
+
// eslint-disable-next-line no-control-regex
|
|
539
|
+
const PATH_UNSAFE_RE = /[\x00-\x1f\x7f"<>`{}]/g
|
|
540
|
+
|
|
530
541
|
function sanitizePathSegment(segment: string): string {
|
|
531
|
-
|
|
532
|
-
|
|
533
|
-
|
|
534
|
-
|
|
542
|
+
return segment.replace(
|
|
543
|
+
PATH_UNSAFE_RE,
|
|
544
|
+
(ch) => '%' + ch.charCodeAt(0).toString(16).toUpperCase().padStart(2, '0'),
|
|
545
|
+
)
|
|
535
546
|
}
|
|
536
547
|
|
|
537
548
|
function decodeSegment(segment: string): string {
|
|
@@ -644,8 +655,9 @@ export function decodePath(path: string) {
|
|
|
644
655
|
result = result + decodeSegment(cursor ? path.slice(cursor) : path)
|
|
645
656
|
|
|
646
657
|
// Prevent open redirect via protocol-relative URLs (e.g. "//evil.com")
|
|
647
|
-
//
|
|
648
|
-
//
|
|
658
|
+
// This is defense-in-depth: since control characters are no longer decoded,
|
|
659
|
+
// paths like "/%0d/evil.com" can no longer become "//evil.com". But we keep
|
|
660
|
+
// this check to guard against other edge cases.
|
|
649
661
|
let handledProtocolRelativeURL = false
|
|
650
662
|
if (result.startsWith('//')) {
|
|
651
663
|
handledProtocolRelativeURL = true
|