Skip to content

Commit

Permalink
Encode params in URLSearchParams
Browse files Browse the repository at this point in the history 
Summary:
URL params are not encoded which could cause a security risk, for more details pls see https://fb.workplace.com/groups/react.technologies.discussions/permalink/3184249088473474/

Changelog:
[General][Security] - Encode URL params in URLSearchParams.toString()

Reviewed By: yungsters

Differential Revision: D34415119

fbshipit-source-id: 83c29df9427ad0adc9b6a2b4d0ff5494247aa5cb
  • Loading branch information
@luluwu2032 @facebook-github-bot
luluwu2032 authored and facebook-github-bot committed Mar 12, 2022
1 parent a3d9892 commit 1042a80
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion Libraries/Blob/URL.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,13 @@ export class URLSearchParams {
}
const last = this._searchParams.length - 1;
return this._searchParams.reduce((acc, curr, index) => {
return acc + curr.join('=') + (index === last ? '' : '&');
return (
acc +
encodeURIComponent(curr[0]) +
'=' +
encodeURIComponent(curr[1]) +
(index === last ? '' : '&')
);
}, '');
}
}
Expand Down

0 comments on commit 1042a80

Please sign in to comment.