🐛 Fixed malformed URLs crashing the url helper

refs https://github.com/TryGhost/Team/issues/960 - Character like "%%" or "%80" would crash our current url escaping behavior. We consider they aren't valid URLs as the percentages haven't been properly escaped.
2025-01-20 22:42:53 -05:00 · 2021-12-02 10:34:15 +01:00 · 2021-12-02 10:34:15 +01:00 · 0367101c87
commit 0367101c87
parent 0b973d1f29
2 changed files with 12 additions and 1 deletions
--- a/core/frontend/helpers/url.js
+++ b/core/frontend/helpers/url.js
@ -11,7 +11,12 @@ module.exports = function url(options) {
    const absolute = options && options.hash.absolute && options.hash.absolute !== 'false';
    let outputUrl = getMetaDataUrl(this, absolute);

-    outputUrl = encodeURI(decodeURI(outputUrl));
+    try {
+        outputUrl = encodeURI(decodeURI(outputUrl));
+    } catch (err) {
+        // Happens when the outputURL contains an invalid URI character like "%%" or "%80"
+        return new SafeString('');
+    }

    return new SafeString(outputUrl);
 };
--- a/test/unit/helpers/url_spec.js
+++ b/test/unit/helpers/url_spec.js
@ -268,6 +268,12 @@ describe('{{url}} helper', function () {
            should.exist(rendered);
            rendered.string.should.equal('/?foo=space%20bar');
        });
+
+        it('should an empty string when we can\'t parse a string', function () {
+            rendered = helpers.url.call({url: '/?foo=space%%bar', label: 'Baz', slug: 'baz', current: true});
+            should.exist(rendered);
+            rendered.string.should.equal('');
+        });
    });

    describe('with subdir', function () {