Skip to content

new URL() accepts array of string #41653

Description

@7c

Version

v14.18.2

Platform

macos && ubuntu tested

Subsystem

No response

What steps will reproduce the bug?

Based on documentation and WHATWG URL API new URL() accepts a string as input. By tests i figured out that an array with single string is also accepted as seen here:

image

i understand this might be accepted but an array with 2 strings is not accepted, more problematic, it returns a VALID URL which should NOT be valid (see screenshot). Moreover same situation applies to Chrome, Firefox (latest versions).

This behaviour might cause a security issue, since especially passing an array with 2 strings does not throw any INVALID_URL error like the 4th case in the screenshot. People might inject stuff and this validation would fail. Even though this might be minor issue on browser, at the server-side this might be major thing

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior?

new url("https://github.com/nodejs/node/issues/Array") should throw

What do you see instead?

image

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    whatwg-urlIssues and PRs related to the WHATWG URL implementation.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions