next-intl 3.17.1 → 3.17.2

package/dist/development/middleware/middleware.js

@@ -16,7 +16,11 @@ function createMiddleware(input) {
   return function middleware(request) {
     var _config$domains;
     // Resolve potential foreign symbols (e.g. /ja/%E7%B4%84 → /ja/約))
-    const externalPathname = decodeURI(request.nextUrl.pathname);
+    const unsafeExternalPathname = decodeURI(request.nextUrl.pathname);
+
+    // Sanitize malicious URIs to prevent open redirect attacks due to
+    // decodeURI doesn't escape encoded backslashes ('%5C' & '%5c')
+    const externalPathname = utils.sanitizePathname(unsafeExternalPathname);
     const {
       domain,
       locale

package/dist/development/middleware/utils.js

@@ -184,6 +184,12 @@ function applyBasePath(pathname, basePath) {
 function getLocaleAsPrefix(locale) {
   return "/".concat(locale);
 }
+function sanitizePathname(pathname) {
+  // Sanitize malicious URIs, e.g.:
+  // '/en/\\example.org → /en/%5C%5Cexample.org'
+  // '/en////example.org → /en/example.org'
+  return pathname.replace(/\\/g, '%5C').replace(/\/+/g, '/');
+}
 
 exports.applyBasePath = applyBasePath;
 exports.formatPathname = formatPathname;
@@ -198,3 +204,4 @@ exports.getNormalizedPathname = getNormalizedPathname;
 exports.getPathnameMatch = getPathnameMatch;
 exports.getRouteParams = getRouteParams;
 exports.isLocaleSupportedOnDomain = isLocaleSupportedOnDomain;
+exports.sanitizePathname = sanitizePathname;

package/dist/esm/middleware/middleware.js

@@ -1 +1 @@
-import{NextResponse as e}from"next/server";import{HEADER_LOCALE_NAME as o}from"../shared/constants.js";import{matchesPathname as l,normalizeTrailingSlash as r,getLocalePrefix as t}from"../shared/utils.js";import{receiveConfig as a}from"./config.js";import n from"./getAlternateLinksHeaderValue.js";import s from"./resolveLocale.js";import i from"./syncCookie.js";import{isLocaleSupportedOnDomain as c,getNormalizedPathname as d,getPathnameMatch as f,getInternalTemplate as m,formatTemplatePathname as h,formatPathname as x,getBestMatchingDomain as u,applyBasePath as p,getLocaleAsPrefix as v}from"./utils.js";function U(U){const P=a(U);return function(a){var U;const g=decodeURI(a.nextUrl.pathname),{domain:L,locale:j}=s(P,a.headers,a.cookies,g),w=L?L.defaultLocale===j:j===P.defaultLocale,k=(null===(U=P.domains)||void 0===U?void 0:U.filter((e=>c(j,e))))||[],b=null!=P.domains&&!L;function y(l){const r=new URL(l,a.url);a.nextUrl.basePath&&(r.pathname=p(r.pathname,a.nextUrl.basePath));const t=new Headers(a.headers);return t.set(o,j),e.rewrite(r,{request:{headers:t}})}function R(o,l){const t=new URL(r(o),a.url);if(k.length>0&&!l){const e=u(L,j,k);e&&(l=e.domain,e.defaultLocale===j&&"as-needed"===P.localePrefix.mode&&(t.pathname=d(t.pathname,P.locales,P.localePrefix)))}var n,s;l&&(t.host=l,a.headers.get("x-forwarded-host")&&(t.protocol=null!==(n=a.headers.get("x-forwarded-proto"))&&void 0!==n?n:a.nextUrl.protocol,t.port=null!==(s=a.headers.get("x-forwarded-port"))&&void 0!==s?s:""));return a.nextUrl.basePath&&(t.pathname=p(t.pathname,a.nextUrl.basePath)),e.redirect(t.toString())}const q=d(g,P.locales,P.localePrefix),H=f(g,P.locales,P.localePrefix),z=null!=H,A="never"===P.localePrefix.mode||w&&"as-needed"===P.localePrefix.mode;let C,D,I=q;if(P.pathnames){let e;if([e,D]=m(P.pathnames,q,j),D){const o=P.pathnames[D],r="string"==typeof o?o:o[j];if(l(r,q))I=h(q,r,D);else{let l;l=e?"string"==typeof o?o:o[e]:D;const n=A?void 0:t(j,P.localePrefix),s=h(q,l,r);C=R(x(s,n,a.nextUrl.search))}}}if(!C)if("/"!==I||z){const e=x(I,v(j),a.nextUrl.search);if(z){const o=x(q,H.prefix,a.nextUrl.search);if("never"===P.localePrefix.mode)C=R(x(q,void 0,a.nextUrl.search));else if(H.exact)if(w&&A)C=R(x(q,void 0,a.nextUrl.search));else if(P.domains){const l=u(L,H.locale,k);C=(null==L?void 0:L.domain)===(null==l?void 0:l.domain)||b?y(e):R(o,null==l?void 0:l.domain)}else C=y(e);else C=R(o)}else C=A?y(e):R(x(q,t(j,P.localePrefix),a.nextUrl.search))}else C=A?y(x(I,v(j),a.nextUrl.search)):R(x(q,t(j,P.localePrefix),a.nextUrl.search));var S;(P.localeDetection&&i(a,C,j),"never"!==P.localePrefix.mode&&P.alternateLinks&&P.locales.length>1)&&C.headers.set("Link",n({config:P,localizedPathnames:null!=D?null===(S=P.pathnames)||void 0===S?void 0:S[D]:void 0,request:a,resolvedLocale:j}));return C}}export{U as default};
+import{NextResponse as e}from"next/server";import{HEADER_LOCALE_NAME as o}from"../shared/constants.js";import{matchesPathname as l,normalizeTrailingSlash as r,getLocalePrefix as t}from"../shared/utils.js";import{receiveConfig as a}from"./config.js";import n from"./getAlternateLinksHeaderValue.js";import s from"./resolveLocale.js";import i from"./syncCookie.js";import{sanitizePathname as c,isLocaleSupportedOnDomain as d,getNormalizedPathname as f,getPathnameMatch as m,getInternalTemplate as h,formatTemplatePathname as x,formatPathname as u,getBestMatchingDomain as p,applyBasePath as v,getLocaleAsPrefix as U}from"./utils.js";function P(P){const g=a(P);return function(a){var P;const L=decodeURI(a.nextUrl.pathname),j=c(L),{domain:w,locale:k}=s(g,a.headers,a.cookies,j),b=w?w.defaultLocale===k:k===g.defaultLocale,y=(null===(P=g.domains)||void 0===P?void 0:P.filter((e=>d(k,e))))||[],R=null!=g.domains&&!w;function q(l){const r=new URL(l,a.url);a.nextUrl.basePath&&(r.pathname=v(r.pathname,a.nextUrl.basePath));const t=new Headers(a.headers);return t.set(o,k),e.rewrite(r,{request:{headers:t}})}function H(o,l){const t=new URL(r(o),a.url);if(y.length>0&&!l){const e=p(w,k,y);e&&(l=e.domain,e.defaultLocale===k&&"as-needed"===g.localePrefix.mode&&(t.pathname=f(t.pathname,g.locales,g.localePrefix)))}var n,s;l&&(t.host=l,a.headers.get("x-forwarded-host")&&(t.protocol=null!==(n=a.headers.get("x-forwarded-proto"))&&void 0!==n?n:a.nextUrl.protocol,t.port=null!==(s=a.headers.get("x-forwarded-port"))&&void 0!==s?s:""));return a.nextUrl.basePath&&(t.pathname=v(t.pathname,a.nextUrl.basePath)),e.redirect(t.toString())}const z=f(j,g.locales,g.localePrefix),A=m(j,g.locales,g.localePrefix),C=null!=A,D="never"===g.localePrefix.mode||b&&"as-needed"===g.localePrefix.mode;let I,S,V=z;if(g.pathnames){let e;if([e,S]=h(g.pathnames,z,k),S){const o=g.pathnames[S],r="string"==typeof o?o:o[k];if(l(r,z))V=x(z,r,S);else{let l;l=e?"string"==typeof o?o:o[e]:S;const n=D?void 0:t(k,g.localePrefix),s=x(z,l,r);I=H(u(s,n,a.nextUrl.search))}}}if(!I)if("/"!==V||C){const e=u(V,U(k),a.nextUrl.search);if(C){const o=u(z,A.prefix,a.nextUrl.search);if("never"===g.localePrefix.mode)I=H(u(z,void 0,a.nextUrl.search));else if(A.exact)if(b&&D)I=H(u(z,void 0,a.nextUrl.search));else if(g.domains){const l=p(w,A.locale,y);I=(null==w?void 0:w.domain)===(null==l?void 0:l.domain)||R?q(e):H(o,null==l?void 0:l.domain)}else I=q(e);else I=H(o)}else I=D?q(e):H(u(z,t(k,g.localePrefix),a.nextUrl.search))}else I=D?q(u(V,U(k),a.nextUrl.search)):H(u(z,t(k,g.localePrefix),a.nextUrl.search));var B;(g.localeDetection&&i(a,I,k),"never"!==g.localePrefix.mode&&g.alternateLinks&&g.locales.length>1)&&I.headers.set("Link",n({config:g,localizedPathnames:null!=S?null===(B=g.pathnames)||void 0===B?void 0:B[S]:void 0,request:a,resolvedLocale:k}));return I}}export{P as default};

package/dist/esm/middleware/utils.js

@@ -1 +1 @@
-import{getSortedPathnames as t,matchesPathname as e,normalizeTrailingSlash as n,getLocalePrefix as o,templateToRegex as r,prefixPathname as c}from"../shared/utils.js";function l(n,o,r){const c=t(Object.keys(n));for(const t of c){const c=n[t];if("string"==typeof c){if(e(c,o))return[void 0,t]}else{const n=Object.entries(c),l=n.findIndex((t=>{let[e]=t;return e===r}));l>0&&n.unshift(n.splice(l,1)[0]);for(const[r,c]of n)if(e(c,o))return[r,t]}}for(const t of Object.keys(n))if(e(t,o))return[void 0,t];return[void 0,void 0]}function i(t,e,o,r){let c="";return c+=d(o,a(e,t)),c=n(c),c}function u(t,e,o){t.endsWith("/")||(t+="/");const r=f(e,o),c=new RegExp("^(".concat(r.map((t=>{let[,e]=t;return e.replaceAll("/","\\/")})).join("|"),")/(.*)"),"i"),l=t.match(c);let i=l?"/"+l[2]:t;return"/"!==i&&(i=n(i)),i}function f(t,e){return t.map((t=>[t,o(t,e)]))}function s(t,e,n){const o=f(e,n);for(const[e,n]of o){let o,r;if(t===n||t.startsWith(n+"/"))o=r=!0;else{const e=t.toLowerCase(),c=n.toLowerCase();(e===c||e.startsWith(c+"/"))&&(o=!1,r=!0)}if(r)return{locale:e,prefix:n,matchedPrefix:t.slice(0,n.length),exact:o}}}function a(t,e){const o=n(e),c=n(t),l=r(c).exec(o);if(!l)return;const i={};for(let t=1;t<l.length;t++){var u;const e=null===(u=c.match(/\[([^\]]+)\]/g))||void 0===u?void 0:u[t-1].replace(/[[\]]/g,"");e&&(i[e]=l[t])}return i}function d(t,e){if(!e)return t;let n=t=t.replace(/\[\[/g,"[").replace(/\]\]/g,"]");return Object.entries(e).forEach((t=>{let[e,o]=t;n=n.replace("[".concat(e,"]"),o)})),n}function h(t,e,n){let o=t;return e&&(o=c(e,o)),n&&(o+=n),o}function p(t){var e,n;return null!==(e=null!==(n=t.get("x-forwarded-host"))&&void 0!==n?n:t.get("host"))&&void 0!==e?e:void 0}function v(t,e){return e.defaultLocale===t||!e.locales||e.locales.includes(t)}function g(t,e,n){let o;return t&&v(e,t)&&(o=t),o||(o=n.find((t=>t.defaultLocale===e))),o||(o=n.find((t=>null!=t.locales&&t.locales.includes(e)))),o||null!=(null==t?void 0:t.locales)||(o=t),o||(o=n.find((t=>!t.locales))),o}function x(t,e){return n(e+t)}function m(t){return"/".concat(t)}export{x as applyBasePath,h as formatPathname,d as formatPathnameTemplate,i as formatTemplatePathname,g as getBestMatchingDomain,p as getHost,l as getInternalTemplate,m as getLocaleAsPrefix,f as getLocalePrefixes,u as getNormalizedPathname,s as getPathnameMatch,a as getRouteParams,v as isLocaleSupportedOnDomain};
+import{getSortedPathnames as e,matchesPathname as t,normalizeTrailingSlash as n,getLocalePrefix as r,templateToRegex as o,prefixPathname as c}from"../shared/utils.js";function l(n,r,o){const c=e(Object.keys(n));for(const e of c){const c=n[e];if("string"==typeof c){if(t(c,r))return[void 0,e]}else{const n=Object.entries(c),l=n.findIndex((e=>{let[t]=e;return t===o}));l>0&&n.unshift(n.splice(l,1)[0]);for(const[o,c]of n)if(t(c,r))return[o,e]}}for(const e of Object.keys(n))if(t(e,r))return[void 0,e];return[void 0,void 0]}function i(e,t,r,o){let c="";return c+=d(r,a(t,e)),c=n(c),c}function u(e,t,r){e.endsWith("/")||(e+="/");const o=f(t,r),c=new RegExp("^(".concat(o.map((e=>{let[,t]=e;return t.replaceAll("/","\\/")})).join("|"),")/(.*)"),"i"),l=e.match(c);let i=l?"/"+l[2]:e;return"/"!==i&&(i=n(i)),i}function f(e,t){return e.map((e=>[e,r(e,t)]))}function s(e,t,n){const r=f(t,n);for(const[t,n]of r){let r,o;if(e===n||e.startsWith(n+"/"))r=o=!0;else{const t=e.toLowerCase(),c=n.toLowerCase();(t===c||t.startsWith(c+"/"))&&(r=!1,o=!0)}if(o)return{locale:t,prefix:n,matchedPrefix:e.slice(0,n.length),exact:r}}}function a(e,t){const r=n(t),c=n(e),l=o(c).exec(r);if(!l)return;const i={};for(let e=1;e<l.length;e++){var u;const t=null===(u=c.match(/\[([^\]]+)\]/g))||void 0===u?void 0:u[e-1].replace(/[[\]]/g,"");t&&(i[t]=l[e])}return i}function d(e,t){if(!t)return e;let n=e=e.replace(/\[\[/g,"[").replace(/\]\]/g,"]");return Object.entries(t).forEach((e=>{let[t,r]=e;n=n.replace("[".concat(t,"]"),r)})),n}function p(e,t,n){let r=e;return t&&(r=c(t,r)),n&&(r+=n),r}function h(e){var t,n;return null!==(t=null!==(n=e.get("x-forwarded-host"))&&void 0!==n?n:e.get("host"))&&void 0!==t?t:void 0}function g(e,t){return t.defaultLocale===e||!t.locales||t.locales.includes(e)}function v(e,t,n){let r;return e&&g(t,e)&&(r=e),r||(r=n.find((e=>e.defaultLocale===t))),r||(r=n.find((e=>null!=e.locales&&e.locales.includes(t)))),r||null!=(null==e?void 0:e.locales)||(r=e),r||(r=n.find((e=>!e.locales))),r}function x(e,t){return n(t+e)}function m(e){return"/".concat(e)}function j(e){return e.replace(/\\/g,"%5C").replace(/\/+/g,"/")}export{x as applyBasePath,p as formatPathname,d as formatPathnameTemplate,i as formatTemplatePathname,v as getBestMatchingDomain,h as getHost,l as getInternalTemplate,m as getLocaleAsPrefix,f as getLocalePrefixes,u as getNormalizedPathname,s as getPathnameMatch,a as getRouteParams,g as isLocaleSupportedOnDomain,j as sanitizePathname};

package/dist/production/middleware/middleware.js

@@ -1 +1 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0});var e=require("next/server"),a=require("../shared/constants.js"),t=require("../shared/utils.js"),r=require("./config.js"),l=require("./getAlternateLinksHeaderValue.js"),o=require("./resolveLocale.js"),n=require("./syncCookie.js"),s=require("./utils.js");exports.default=function(i){const c=r.receiveConfig(i);return function(r){var i;const d=decodeURI(r.nextUrl.pathname),{domain:f,locale:m}=o.default(c,r.headers,r.cookies,d),h=f?f.defaultLocale===m:m===c.defaultLocale,u=(null===(i=c.domains)||void 0===i?void 0:i.filter((e=>s.isLocaleSupportedOnDomain(m,e))))||[],x=null!=c.domains&&!f;function P(t){const l=new URL(t,r.url);r.nextUrl.basePath&&(l.pathname=s.applyBasePath(l.pathname,r.nextUrl.basePath));const o=new Headers(r.headers);return o.set(a.HEADER_LOCALE_NAME,m),e.NextResponse.rewrite(l,{request:{headers:o}})}function p(a,l){const o=new URL(t.normalizeTrailingSlash(a),r.url);if(u.length>0&&!l){const e=s.getBestMatchingDomain(f,m,u);e&&(l=e.domain,e.defaultLocale===m&&"as-needed"===c.localePrefix.mode&&(o.pathname=s.getNormalizedPathname(o.pathname,c.locales,c.localePrefix)))}var n,i;l&&(o.host=l,r.headers.get("x-forwarded-host")&&(o.protocol=null!==(n=r.headers.get("x-forwarded-proto"))&&void 0!==n?n:r.nextUrl.protocol,o.port=null!==(i=r.headers.get("x-forwarded-port"))&&void 0!==i?i:""));return r.nextUrl.basePath&&(o.pathname=s.applyBasePath(o.pathname,r.nextUrl.basePath)),e.NextResponse.redirect(o.toString())}const g=s.getNormalizedPathname(d,c.locales,c.localePrefix),v=s.getPathnameMatch(d,c.locales,c.localePrefix),L=null!=v,U="never"===c.localePrefix.mode||h&&"as-needed"===c.localePrefix.mode;let q,j,w=g;if(c.pathnames){let e;if([e,j]=s.getInternalTemplate(c.pathnames,g,m),j){const a=c.pathnames[j],l="string"==typeof a?a:a[m];if(t.matchesPathname(l,g))w=s.formatTemplatePathname(g,l,j);else{let o;o=e?"string"==typeof a?a:a[e]:j;const n=U?void 0:t.getLocalePrefix(m,c.localePrefix),i=s.formatTemplatePathname(g,o,l);q=p(s.formatPathname(i,n,r.nextUrl.search))}}}if(!q)if("/"!==w||L){const e=s.formatPathname(w,s.getLocaleAsPrefix(m),r.nextUrl.search);if(L){const a=s.formatPathname(g,v.prefix,r.nextUrl.search);if("never"===c.localePrefix.mode)q=p(s.formatPathname(g,void 0,r.nextUrl.search));else if(v.exact)if(h&&U)q=p(s.formatPathname(g,void 0,r.nextUrl.search));else if(c.domains){const t=s.getBestMatchingDomain(f,v.locale,u);q=(null==f?void 0:f.domain)===(null==t?void 0:t.domain)||x?P(e):p(a,null==t?void 0:t.domain)}else q=P(e);else q=p(a)}else q=U?P(e):p(s.formatPathname(g,t.getLocalePrefix(m,c.localePrefix),r.nextUrl.search))}else q=U?P(s.formatPathname(w,s.getLocaleAsPrefix(m),r.nextUrl.search)):p(s.formatPathname(g,t.getLocalePrefix(m,c.localePrefix),r.nextUrl.search));var y;(c.localeDetection&&n.default(r,q,m),"never"!==c.localePrefix.mode&&c.alternateLinks&&c.locales.length>1)&&q.headers.set("Link",l.default({config:c,localizedPathnames:null!=j?null===(y=c.pathnames)||void 0===y?void 0:y[j]:void 0,request:r,resolvedLocale:m}));return q}};
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0});var e=require("next/server"),a=require("../shared/constants.js"),t=require("../shared/utils.js"),r=require("./config.js"),l=require("./getAlternateLinksHeaderValue.js"),o=require("./resolveLocale.js"),n=require("./syncCookie.js"),s=require("./utils.js");exports.default=function(i){const c=r.receiveConfig(i);return function(r){var i;const d=decodeURI(r.nextUrl.pathname),m=s.sanitizePathname(d),{domain:f,locale:h}=o.default(c,r.headers,r.cookies,m),u=f?f.defaultLocale===h:h===c.defaultLocale,x=(null===(i=c.domains)||void 0===i?void 0:i.filter((e=>s.isLocaleSupportedOnDomain(h,e))))||[],P=null!=c.domains&&!f;function p(t){const l=new URL(t,r.url);r.nextUrl.basePath&&(l.pathname=s.applyBasePath(l.pathname,r.nextUrl.basePath));const o=new Headers(r.headers);return o.set(a.HEADER_LOCALE_NAME,h),e.NextResponse.rewrite(l,{request:{headers:o}})}function g(a,l){const o=new URL(t.normalizeTrailingSlash(a),r.url);if(x.length>0&&!l){const e=s.getBestMatchingDomain(f,h,x);e&&(l=e.domain,e.defaultLocale===h&&"as-needed"===c.localePrefix.mode&&(o.pathname=s.getNormalizedPathname(o.pathname,c.locales,c.localePrefix)))}var n,i;l&&(o.host=l,r.headers.get("x-forwarded-host")&&(o.protocol=null!==(n=r.headers.get("x-forwarded-proto"))&&void 0!==n?n:r.nextUrl.protocol,o.port=null!==(i=r.headers.get("x-forwarded-port"))&&void 0!==i?i:""));return r.nextUrl.basePath&&(o.pathname=s.applyBasePath(o.pathname,r.nextUrl.basePath)),e.NextResponse.redirect(o.toString())}const v=s.getNormalizedPathname(m,c.locales,c.localePrefix),L=s.getPathnameMatch(m,c.locales,c.localePrefix),U=null!=L,q="never"===c.localePrefix.mode||u&&"as-needed"===c.localePrefix.mode;let j,w,y=v;if(c.pathnames){let e;if([e,w]=s.getInternalTemplate(c.pathnames,v,h),w){const a=c.pathnames[w],l="string"==typeof a?a:a[h];if(t.matchesPathname(l,v))y=s.formatTemplatePathname(v,l,w);else{let o;o=e?"string"==typeof a?a:a[e]:w;const n=q?void 0:t.getLocalePrefix(h,c.localePrefix),i=s.formatTemplatePathname(v,o,l);j=g(s.formatPathname(i,n,r.nextUrl.search))}}}if(!j)if("/"!==y||U){const e=s.formatPathname(y,s.getLocaleAsPrefix(h),r.nextUrl.search);if(U){const a=s.formatPathname(v,L.prefix,r.nextUrl.search);if("never"===c.localePrefix.mode)j=g(s.formatPathname(v,void 0,r.nextUrl.search));else if(L.exact)if(u&&q)j=g(s.formatPathname(v,void 0,r.nextUrl.search));else if(c.domains){const t=s.getBestMatchingDomain(f,L.locale,x);j=(null==f?void 0:f.domain)===(null==t?void 0:t.domain)||P?p(e):g(a,null==t?void 0:t.domain)}else j=p(e);else j=g(a)}else j=q?p(e):g(s.formatPathname(v,t.getLocalePrefix(h,c.localePrefix),r.nextUrl.search))}else j=q?p(s.formatPathname(y,s.getLocaleAsPrefix(h),r.nextUrl.search)):g(s.formatPathname(v,t.getLocalePrefix(h,c.localePrefix),r.nextUrl.search));var A;(c.localeDetection&&n.default(r,j,h),"never"!==c.localePrefix.mode&&c.alternateLinks&&c.locales.length>1)&&j.headers.set("Link",l.default({config:c,localizedPathnames:null!=w?null===(A=c.pathnames)||void 0===A?void 0:A[w]:void 0,request:r,resolvedLocale:h}));return j}};

package/dist/production/middleware/utils.js

@@ -1 +1 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0});var e=require("../shared/utils.js");function t(t,n){return t.map((t=>[t,e.getLocalePrefix(t,n)]))}function n(t,n){const r=e.normalizeTrailingSlash(n),o=e.normalizeTrailingSlash(t),a=e.templateToRegex(o).exec(r);if(!a)return;const l={};for(let e=1;e<a.length;e++){var i;const t=null===(i=o.match(/\[([^\]]+)\]/g))||void 0===i?void 0:i[e-1].replace(/[[\]]/g,"");t&&(l[t]=a[e])}return l}function r(e,t){if(!t)return e;let n=e=e.replace(/\[\[/g,"[").replace(/\]\]/g,"]");return Object.entries(t).forEach((e=>{let[t,r]=e;n=n.replace("[".concat(t,"]"),r)})),n}function o(e,t){return t.defaultLocale===e||!t.locales||t.locales.includes(e)}exports.applyBasePath=function(t,n){return e.normalizeTrailingSlash(n+t)},exports.formatPathname=function(t,n,r){let o=t;return n&&(o=e.prefixPathname(n,o)),r&&(o+=r),o},exports.formatPathnameTemplate=r,exports.formatTemplatePathname=function(t,o,a,l){let i="";return i+=r(a,n(o,t)),i=e.normalizeTrailingSlash(i),i},exports.getBestMatchingDomain=function(e,t,n){let r;return e&&o(t,e)&&(r=e),r||(r=n.find((e=>e.defaultLocale===t))),r||(r=n.find((e=>null!=e.locales&&e.locales.includes(t)))),r||null!=(null==e?void 0:e.locales)||(r=e),r||(r=n.find((e=>!e.locales))),r},exports.getHost=function(e){var t,n;return null!==(t=null!==(n=e.get("x-forwarded-host"))&&void 0!==n?n:e.get("host"))&&void 0!==t?t:void 0},exports.getInternalTemplate=function(t,n,r){const o=e.getSortedPathnames(Object.keys(t));for(const a of o){const o=t[a];if("string"==typeof o){const t=o;if(e.matchesPathname(t,n))return[void 0,a]}else{const t=Object.entries(o),l=t.findIndex((e=>{let[t]=e;return t===r}));l>0&&t.unshift(t.splice(l,1)[0]);for(const[r,o]of t)if(e.matchesPathname(o,n))return[r,a]}}for(const r of Object.keys(t))if(e.matchesPathname(r,n))return[void 0,r];return[void 0,void 0]},exports.getLocaleAsPrefix=function(e){return"/".concat(e)},exports.getLocalePrefixes=t,exports.getNormalizedPathname=function(n,r,o){n.endsWith("/")||(n+="/");const a=t(r,o),l=new RegExp("^(".concat(a.map((e=>{let[,t]=e;return t.replaceAll("/","\\/")})).join("|"),")/(.*)"),"i"),i=n.match(l);let s=i?"/"+i[2]:n;return"/"!==s&&(s=e.normalizeTrailingSlash(s)),s},exports.getPathnameMatch=function(e,n,r){const o=t(n,r);for(const[t,n]of o){let r,o;if(e===n||e.startsWith(n+"/"))r=o=!0;else{const t=e.toLowerCase(),a=n.toLowerCase();(t===a||t.startsWith(a+"/"))&&(r=!1,o=!0)}if(o)return{locale:t,prefix:n,matchedPrefix:e.slice(0,n.length),exact:r}}},exports.getRouteParams=n,exports.isLocaleSupportedOnDomain=o;
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0});var e=require("../shared/utils.js");function t(t,n){return t.map((t=>[t,e.getLocalePrefix(t,n)]))}function n(t,n){const r=e.normalizeTrailingSlash(n),o=e.normalizeTrailingSlash(t),a=e.templateToRegex(o).exec(r);if(!a)return;const l={};for(let e=1;e<a.length;e++){var i;const t=null===(i=o.match(/\[([^\]]+)\]/g))||void 0===i?void 0:i[e-1].replace(/[[\]]/g,"");t&&(l[t]=a[e])}return l}function r(e,t){if(!t)return e;let n=e=e.replace(/\[\[/g,"[").replace(/\]\]/g,"]");return Object.entries(t).forEach((e=>{let[t,r]=e;n=n.replace("[".concat(t,"]"),r)})),n}function o(e,t){return t.defaultLocale===e||!t.locales||t.locales.includes(e)}exports.applyBasePath=function(t,n){return e.normalizeTrailingSlash(n+t)},exports.formatPathname=function(t,n,r){let o=t;return n&&(o=e.prefixPathname(n,o)),r&&(o+=r),o},exports.formatPathnameTemplate=r,exports.formatTemplatePathname=function(t,o,a,l){let i="";return i+=r(a,n(o,t)),i=e.normalizeTrailingSlash(i),i},exports.getBestMatchingDomain=function(e,t,n){let r;return e&&o(t,e)&&(r=e),r||(r=n.find((e=>e.defaultLocale===t))),r||(r=n.find((e=>null!=e.locales&&e.locales.includes(t)))),r||null!=(null==e?void 0:e.locales)||(r=e),r||(r=n.find((e=>!e.locales))),r},exports.getHost=function(e){var t,n;return null!==(t=null!==(n=e.get("x-forwarded-host"))&&void 0!==n?n:e.get("host"))&&void 0!==t?t:void 0},exports.getInternalTemplate=function(t,n,r){const o=e.getSortedPathnames(Object.keys(t));for(const a of o){const o=t[a];if("string"==typeof o){const t=o;if(e.matchesPathname(t,n))return[void 0,a]}else{const t=Object.entries(o),l=t.findIndex((e=>{let[t]=e;return t===r}));l>0&&t.unshift(t.splice(l,1)[0]);for(const[r,o]of t)if(e.matchesPathname(o,n))return[r,a]}}for(const r of Object.keys(t))if(e.matchesPathname(r,n))return[void 0,r];return[void 0,void 0]},exports.getLocaleAsPrefix=function(e){return"/".concat(e)},exports.getLocalePrefixes=t,exports.getNormalizedPathname=function(n,r,o){n.endsWith("/")||(n+="/");const a=t(r,o),l=new RegExp("^(".concat(a.map((e=>{let[,t]=e;return t.replaceAll("/","\\/")})).join("|"),")/(.*)"),"i"),i=n.match(l);let s=i?"/"+i[2]:n;return"/"!==s&&(s=e.normalizeTrailingSlash(s)),s},exports.getPathnameMatch=function(e,n,r){const o=t(n,r);for(const[t,n]of o){let r,o;if(e===n||e.startsWith(n+"/"))r=o=!0;else{const t=e.toLowerCase(),a=n.toLowerCase();(t===a||t.startsWith(a+"/"))&&(r=!1,o=!0)}if(o)return{locale:t,prefix:n,matchedPrefix:e.slice(0,n.length),exact:r}}},exports.getRouteParams=n,exports.isLocaleSupportedOnDomain=o,exports.sanitizePathname=function(e){return e.replace(/\\/g,"%5C").replace(/\/+/g,"/")};

package/dist/types/src/middleware/utils.d.ts

@@ -22,3 +22,4 @@ export declare function isLocaleSupportedOnDomain<AppLocales extends Locales>(lo
 export declare function getBestMatchingDomain<AppLocales extends Locales>(curHostDomain: DomainConfig<AppLocales> | undefined, locale: string, domainsConfig: DomainsConfig<AppLocales>): DomainConfig<AppLocales> | undefined;
 export declare function applyBasePath(pathname: string, basePath: string): string;
 export declare function getLocaleAsPrefix<AppLocales extends Locales>(locale: AppLocales[number]): string;
+export declare function sanitizePathname(pathname: string): string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "next-intl",
-  "version": "3.17.1",
+  "version": "3.17.2",
   "sideEffects": false,
   "author": "Jan Amann <jan@amann.work>",
   "funding": [
@@ -87,7 +87,7 @@
   "dependencies": {
     "@formatjs/intl-localematcher": "^0.2.32",
     "negotiator": "^0.6.3",
-    "use-intl": "^3.17.1"
+    "use-intl": "^3.17.2"
   },
   "peerDependencies": {
     "next": "^10.0.0 || ^11.0.0 || ^12.0.0 || ^13.0.0 || ^14.0.0",
@@ -120,12 +120,12 @@
     },
     {
       "path": "dist/production/middleware.js",
-      "limit": "6.485 KB"
+      "limit": "6.525 KB"
     },
     {
       "path": "dist/production/routing.js",
       "limit": "0 KB"
     }
   ],
-  "gitHead": "1635c438061d18f89c0b6818213892051e19fa65"
+  "gitHead": "b2117e10bab62c4b26cbd712551816a22a71e63f"
 }