prevented xss() from crashing when attempting to URI-decode a string

metellus · metellus · commit 02f2be6db29b · 2011-09-19T00:49:17.000-04:00
that is not URI-encoded
diff --git a/lib/xss.js b/lib/xss.js
@@ -64,7 +64,12 @@ exports.clean = function(str, is_image) {
 
     //Decode just in case stuff like this is submitted:
     //<a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
-    str = decodeURIComponent(str);
+    try{  
+      str = decodeURIComponent(str);
+    }
+    catch(error){
+      // str was not actually URI-encoded
+    }
 
     //Convert character entities to ASCII - this permits our tests below to work reliably.
     //We only convert entities that are within tags since these are the ones that will pose security problems.
