Incomplete String escaping or Encoding warning with backslashes in URL

Asked Feb 22 '22 at 16:02

Active Feb 23 '22 at 03:44

Viewed 48 times

we're getting a high severity CodeQL warning on

// https://stackoverflow.com/a/901144/7858838
export const getParameterValueByName = (name, url) => {
  name = name.replace(/[\[\]]/g, '\\$&'); // eslint-disable-line no-useless-escape
  const regex = new RegExp(`[?&]${name}(=([^&#]*)|&|#|$)`);
  const results = regex.exec(url);
  if (!results) return '';
  if (!results[2]) return '';
  return decodeURIComponent(results[2].replace(/\+/g, ' '));
};

that "Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting."

That's a generic warning and, so far as I know, backslashes are stripped from URLs to begin with - so it might be a moot point

Can somebody either confirm this is an ignorable generic warning in the context of a URL utility, or suggest a better RegExp + some examples of malicious backslashes I can write tests against?

edited Feb 23 '22 at 03:44

asked Feb 22 '22 at 16:02

iwoodruff

Incomplete String escaping or Encoding warning with backslashes in URL

0 Answers0