fis: escape uri all (#1121)

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -6,6 +6,11 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+* Fixed
+  * Imported URL sanitizer (via [#1121])
+
+[#1121]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1121
+
 ## 6.10.1 -- 2024-07-03
 
 * Fixed

src/_helpers/uri.ts

@@ -17,15 +17,15 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-const escapeMap: Readonly<Record<string, string>> = Object.freeze({
-  ' ': '%20',
-  '[': '%5B',
-  ']': '%5D',
-  '<': '%3C',
-  '>': '%3E',
-  '{': '%7B',
-  '}': '%7D'
-})
+const _ESCAPES: Array<[RegExp, string]> = [
+  [/ /g, '%20'],
+  [/\[/g, '%5B'],
+  [/]/g, '%5D'],
+  [/</g, '%3C'],
+  [/>/g, '%3E'],
+  [/\{/g, '%7B'],
+  [/}/g, '%7D']
+]
 
 /**
  * Make a string valid to
@@ -43,7 +43,7 @@ export function escapeUri<T extends (string | undefined)> (value: T): T {
   if (value === undefined) {
     return value
   }
-  for (const [s, r] of Object.entries(escapeMap)) {
+  for (const [s, r] of _ESCAPES) {
     /* @ts-expect-error -- TS does not properly detect that value is to be forced as string, here */
     value = value.replace(s, r)
   }

tests/_data/models.js

@@ -283,12 +283,12 @@ module.exports.createComplexStructure = function () {
             ['encode anyUri: https', 'https://example.org/p?k=v#f'],
             ['encode anyUri: mailto', 'mailto:[email protected]'],
             ['encode anyUri: relative path', '../foo/bar'],
-            ['encode anyUri: space', 'https://example.org/foo bar'],
-            ['encode anyUri: []', 'https://example.org/?bar[test]=baz'],
-            ['encode anyUri: <>', 'https://example.org/#<test>'],
-            ['encode anyUri: {}', 'https://example.org/#{test}'],
+            ['encode anyUri: space', 'https://example.org/foo bar bazz%20again+again'],
+            ['encode anyUri: []', 'https://example.org/?bar[test]=baz[again]'],
+            ['encode anyUri: <>', 'https://example.org/#<test><again>'],
+            ['encode anyUri: {}', 'https://example.org/#{test}{again}'],
             ['encode anyUri: non-ASCII', 'https://example.org/édition'],
-            ['encode anyUri: partially encoded', 'https://example.org/?bar[test%5D=baz']
+            ['encode anyUri: partially encoded', 'https://example.org/?bar[test%5D=baz%5bagain]']
           ].map(
             ([desc, uri]) => new Models.ExternalReference(
               uri, Enums.ExternalReferenceType.Other, {