querystring: don't stringify bad surrogate pair

mscdex · evanlucas · commit a2ad21645fb3 · 2016-03-31T09:39:00.000-05:00
Fixes: #3702 PR-URL: #5858 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/lib/querystring.js b/lib/querystring.js
@@ -141,7 +141,7 @@ QueryString.escape = function(str) {
     if (i < str.length)
       c2 = str.charCodeAt(i) & 0x3FF;
     else
-      c2 = 0;
+      throw new URIError('URI malformed');
     lastPos = i + 1;
     c = 0x10000 + (((c & 0x3FF) << 10) | c2);
     out += hexTable[0xF0 | (c >> 18)] +
diff --git a/test/parallel/test-querystring.js b/test/parallel/test-querystring.js
@@ -139,6 +139,11 @@ qsWeirdObjects.forEach(function(testCase) {
   assert.equal(testCase[1], qs.stringify(testCase[0]));
 });
 
+// invalid surrogate pair throws URIError
+assert.throws(function() {
+  qs.stringify({ foo: '\udc00' });
+}, URIError);
+
 // coerce numbers to string
 assert.strictEqual('foo=0', qs.stringify({ foo: 0 }));
 assert.strictEqual('foo=0', qs.stringify({ foo: -0 }));
