diff --git a/src/URI.js b/src/URI.js index 1dceb2f3..cedcbbd4 100644 --- a/src/URI.js +++ b/src/URI.js @@ -612,12 +612,14 @@ }; URI.parseUserinfo = function(string, parts) { // extract username:password + var firstBackSlash = string.indexOf('\\'); var firstSlash = string.indexOf('/'); + var slash = firstBackSlash === -1 ? firstSlash : (firstSlash !== -1 ? Math.min(firstBackSlash, firstSlash): firstSlash) var pos = string.lastIndexOf('@', firstSlash > -1 ? firstSlash : string.length - 1); var t; - // authority@ must come before /path - if (pos > -1 && (firstSlash === -1 || pos < firstSlash)) { + // authority@ must come before /path or \path + if (pos > -1 && (slash === -1 || pos < slash)) { t = string.substring(0, pos).split(':'); parts.username = t[0] ? URI.decode(t[0]) : null; t.shift(); diff --git a/test/urls.js b/test/urls.js index 61d36771..5e0c06eb 100644 --- a/test/urls.js +++ b/test/urls.js @@ -1984,6 +1984,55 @@ var urls = [{ idn: false, punycode: false } + }, { + name: 'backslashes authority', + url: 'https://attacker.com\\@example.com/some/directory/file.html?query=string#fragment', + _url: 'https://attacker.com/@example.com/some/directory/file.html?query=string#fragment', + parts: { + protocol: 'https', + username: null, + password: null, + hostname: 'attacker.com', + port: null, + path: '/@example.com/some/directory/file.html', + query: 'query=string', + fragment: 'fragment' + }, + accessors: { + protocol: 'https', + username: '', + password: '', + port: '', + path: '/@example.com/some/directory/file.html', + query: 'query=string', + fragment: 'fragment', + resource: '/@example.com/some/directory/file.html?query=string#fragment', + authority: 'attacker.com', + origin: 'https://attacker.com', + userinfo: '', + subdomain: '', + domain: 'attacker.com', + tld: 'com', + directory: '/@example.com/some/directory', + filename: 'file.html', + suffix: 'html', + hash: '#fragment', + search: '?query=string', + host: 'attacker.com', + hostname: 'attacker.com' + }, + is: { + urn: false, + url: true, + relative: false, + name: true, + sld: false, + ip: false, + ip4: false, + ip6: false, + idn: false, + punycode: false + } } ];