From 8039ed0e63e883d22f2192f57e9f67d383977100 Mon Sep 17 00:00:00 2001
From: gilgahex <orrbifold@gmail.com>
Date: Tue, 2 Aug 2022 16:35:36 -0700
Subject: [PATCH] Unicode 202E vuln fix

---
 src/match/url-match.ts       | 3 +++
 tests/autolinker-url.spec.ts | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/match/url-match.ts b/src/match/url-match.ts
index 9a006998..f07a8c8f 100644
--- a/src/match/url-match.ts
+++ b/src/match/url-match.ts
@@ -170,6 +170,9 @@ export class UrlMatch extends Match {
     getAnchorHref() {
         let url = this.getUrl();
 
+        //Strip malicious Unicode SNYK-AUTOLINKER-2438289
+        url.replace('\u202E', '');
+
         return url.replace(/&amp;/g, '&'); // any &amp;'s in the URL should be converted back to '&' if they were displayed as &amp; in the source html
     }
 
diff --git a/tests/autolinker-url.spec.ts b/tests/autolinker-url.spec.ts
index 2abe2b4e..bc7b4b88 100644
--- a/tests/autolinker-url.spec.ts
+++ b/tests/autolinker-url.spec.ts
@@ -1182,8 +1182,15 @@ describe('Autolinker Url Matching -', () => {
         );
     });
 
+    describe('unicode exploits', () => {
+        it('should strip out Right-To-Left Override Unicode characters for security', () => {
+            var result = autolinker.link('https://legit.ok/files\u202E4pm.asia');
+            expect(result).toBe('<a href="https://legit.ok/files4pm.asia"></a>');
+        });
+    });
+
     describe('combination example', () => {
-        it(`should automatically link all of the URLs of many different forms`, () => {
+        it('should automatically link all of the URLs of many different forms', () => {
             let inputStr = `
 				Joe went to http://yahoo.com and http://localhost today along with http://localhost:8000.
 				He also had a path on localhost: http://localhost:8000/abc, and a query string: http://localhost:8000?abc