i have the following situation.
- i do a GET request via an HTML form
- i have one text field and the field has the contents of
<< BLAH >alert (”BLAH”);//<</ blah >
. It's known invalid, hypothetical markup.
- i have one text field and the field has the contents of
- i have an event listener on
webRequest
- i attempt to
decodeURIComponent
on the full url of the webrequest, trigged by form submission - decoding fails, contrary to expectation.
- i expect that decodeURIComponent should be able to decode anything the browser encodes from a form. this appears to be a wrong assumption, or a bug in chrome: 55.0.x*
If the below JS was in a chrome extension, the following snippet would demonstrate the issue.
var filter = { urls: ['<all_urls>'] }
function handler (details) {
decodeURIComponent(details.url)
}
chrome.webRequest.onBeforeRequest.addListener(
handler,
filter,
['blocking', 'requestBody']
)
<form method='get'>
<input type='text' name='field'/>
<button type='submit'>submit</button>
</form>
Of course you can't actually run this--webRequest is part of the chrome extension API.
Looking for tips. Thanks!
I had a
URI malformed
error in Google Chrome, when I tried decoding a string usingdecodeURIComponent
as well. It failed on the%
character that was in that string, I did not want any check to happen on the validity of that string. So I ended up using theunescape
method intsead:unescape(mystring)