Forcibly escape username/pass for basic auth URLs too

geelen · geelen · commit 607b226a356c · 2025-06-17T15:04:25.000+10:00
diff --git a/src/lib/utils.test.ts b/src/lib/utils.test.ts
@@ -84,6 +84,11 @@ describe('sanitizeUrl', () => {
       const result = sanitizeUrl('https://example.com?empty&hasvalue=test')
       expect(result).toBe('https://example.com/?empty&hasvalue=test')
     })
+
+    it('should encode basic auth', () => {
+      const result = sanitizeUrl('http://user$(calc)r:pass$(calc)word@domain.com')
+      expect(result).toBe('http://user%24(calc)r:pass%24(calc)word@domain.com/')
+    })
   })
 
   describe('should handle complex URLs', () => {
diff --git a/src/lib/utils.ts b/src/lib/utils.ts
@@ -722,6 +722,8 @@ export function sanitizeUrl(raw: string) {
   if (url.hostname !== encodeURIComponent(url.hostname)) abort()
 
   // Forcibly sanitise all the pieces of the URL
+  if (url.username) url.username = encodeURIComponent(url.username)
+  if (url.password) url.password = encodeURIComponent(url.password)
   url.pathname = url.pathname.slice(0, 1) + encodeURIComponent(url.pathname.slice(1)).replace(/%2f/ig,'/')
   url.search = url.search.slice(0, 1) + Array.from(url.searchParams.entries()).map(sanitizeParam).join('&')
   url.hash = url.hash.slice(0, 1) + encodeURIComponent(url.hash.slice(1))
