Skip to content

new URL() accepts array of string #41653

New issue
New issue
Closed
#41658
Closed
new URL() accepts array of string#41653
#41658
Labels
whatwg-urlIssues and PRs related to the WHATWG URL implementation.
@7c

Description

@7c
7c
opened on Jan 22, 2022

Version

v14.18.2

Platform

macos && ubuntu tested

Subsystem

No response

What steps will reproduce the bug?

Based on documentation and WHATWG URL API new URL() accepts a string as input. By tests i figured out that an array with single string is also accepted as seen here:

image

i understand this might be accepted but an array with 2 strings is not accepted, more problematic, it returns a VALID URL which should NOT be valid (see screenshot). Moreover same situation applies to Chrome, Firefox (latest versions).

This behaviour might cause a security issue, since especially passing an array with 2 strings does not throw any INVALID_URL error like the 4th case in the screenshot. People might inject stuff and this validation would fail. Even though this might be minor issue on browser, at the server-side this might be major thing

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior?

new URL(Array) should throw

What do you see instead?

image

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    whatwg-urlIssues and PRs related to the WHATWG URL implementation.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions