Fixes #237: stricter Base64 checks.

Author: sebadoom

js/app.js

@@ -419,6 +419,13 @@ FaFp+DyAe+b4nDwuJaW2LURbr8AEZga7oQj0uYxcYw==\n\
       return;
     }
 
+    if(!window.isValidBase64String(parts[0], true) ||
+       !window.isValidBase64String(parts[1], true) ||
+       !window.isValidBase64String(parts[2], true)) {
+      $('.input').addClass('error');
+      return;
+    }
+
     var decodedHeader = window.decode(parts[0]);
 
     try {

js/jwt.js

@@ -103,9 +103,12 @@ window.sign = function (algorithm, header, payload, key, isSecretBase64Encoded)
   return {result: value, error: error};
 };
 
-window.isValidBase64String = function (s) {
+window.isValidBase64String = function (s, urlOnly) {
   try {
-    var validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_+/=';
+    var validChars = urlOnly ?
+      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_=' :
+      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_+/=';
+
     var hasPadding = false;
     for(var i = 0; i < s.length; ++i) {
       hasPadding |= s.charAt(i) === '=';