Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some unsafe characters (curly brackets) do not get url encoded #613

Open
pabo opened this issue Oct 13, 2016 · 1 comment
Open

Some unsafe characters (curly brackets) do not get url encoded #613

pabo opened this issue Oct 13, 2016 · 1 comment

Comments

@pabo
Copy link

pabo commented Oct 13, 2016

expected behavior: { and } are encoded as %7B and %7D
actual behavior: { and } are not encoded at all and are included raw.

Example:

This file is already encoded and has style rules that includes { (%7B):

$ cat test.css 

#div {
    background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' version='1.1' class='checkmark' x='0' y='0' width='23.3' height='23.3' viewBox='0 0 23.3 23.3' xml:space='preserve' enable-background='new 0 0 23.3 23.3'%3E
%3Cstyle type='text/css'%3E.rtp0%7Bfill:%230382C1;%7D.rtp1%7Bfill:%23FFFFFF;%7D%3C/style%3E
%3Cpath class='rtp0' d='M23.3 11.7C23.3 5.2 18.1 0 11.7 0S0 5.2 0 11.7s5.2 11.7 11.7 11.7S23.3 18.1 23.3 11.7'/%3E%3Cpath class='rtp1' d='M11 16.2c-0.2 0.2-0.4 0.2-0.6 0L10 15.9l0 0 -4-3.7 1.6-1.8 3 2.8L16.4 7l1.7 1.7L11 16.2z'/%3E%3C/svg%3E");
}

running cssnano with svgo enabled, the { character gets decoded from %7B

$ node_modules/.bin/cssnano  test.css

#div{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' class='checkmark' width='23.3' height='23.3' viewBox='0 0 23.3 23.3'%3E
%3Cstyle%3E.rtp0{fill:%230382c1}.rtp1{fill:%23fff}%3C/style%3E
%3Cpath class='rtp0' d='M23.3 11.7C23.3 5.2 18.1 0 11.7 0S0 5.2 0 11.7s5.2 11.7 11.7 11.7 11.6-5.3 11.6-11.7'/%3E%3Cpath class='rtp1' d='M11 16.2c-.2.2-.4.2-.6 0l-.4-.3-4-3.7 1.6-1.8 3 2.8L16.4 7l1.7 1.7-7.1 7.5z'/%3E%3C/svg%3E")}

but disabling svgo, the { character stays encoded, as it should

$ node_modules/.bin/cssnano --no-svgo  test.css

#div{background-image:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' version='1.1' class='checkmark' x='0' y='0' width='23.3' height='23.3' viewBox='0 0 23.3 23.3' xml:space='preserve' enable-background='new 0 0 23.3 23.3'%3E
%3Cstyle type='text/css'%3E.rtp0%7Bfill:%230382C1;%7D.rtp1%7Bfill:%23FFFFFF;%7D%3C/style%3E
%3Cpath class='rtp0' d='M23.3 11.7C23.3 5.2 18.1 0 11.7 0S0 5.2 0 11.7s5.2 11.7 11.7 11.7S23.3 18.1 23.3 11.7'/%3E%3Cpath class='rtp1' d='M11 16.2c-0.2 0.2-0.4 0.2-0.6 0L10 15.9l0 0 -4-3.7 1.6-1.8 3 2.8L16.4 7l1.7 1.7L11 16.2z'/%3E%3C/svg%3E")}
@strarsis
Copy link
Contributor

strarsis commented Nov 26, 2016
edited
Loading

Could this module be useful for safe url-escaping?: inline-urlescape

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pabo @strarsis