coolaj86
/
redirect-https.js
1
0
Fork 0
Code Issues Pull Requests Releases Activity

backport lost commits

This commit is contained in:
AJ ONeal 2018-02-27 15:42:26 -07:00
parent b4a4a7220a
commit a791291cca
2 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -54,7 +54,7 @@ server.on('request', require('redirect-https')({
})); }));
server.listen(insecurePort, function () { server.listen(insecurePort, function () {
console.log('Listening on http://localhost.daplie.com:' + server.address().port); console.log('Listening on http://localhost.pplwink.com:' + server.address().port);
}); });
``` ```
@ -81,6 +81,6 @@ If your application is properly separated between static assets and api, then it
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
so that no malicious links of this sort will yield unexpected behavior: so that no malicious links of this sort will yield unexpected behavior:
* `http://localhost.daplie.com:8080/"><script>alert('hi')</script>` * `http://localhost.pplwink.com:8080/"><script>alert('hi')</script>`
* `http://localhost.daplie.com:8080/';URL=http://example.com` * `http://localhost.pplwink.com:8080/';URL=http://example.com`
* `http://localhost.daplie.com:8080/;URL=http://example.com` * `http://localhost.pplwink.com:8080/;URL=http://example.com`

12
index.js
View File

@ -13,7 +13,7 @@ module.exports = function (opts) {
opts.body = "<!-- Hello Mr Developer! We don't serve insecure resources around here." opts.body = "<!-- Hello Mr Developer! We don't serve insecure resources around here."
+ "\n Please use HTTPS instead. -->"; + "\n Please use HTTPS instead. -->";
} }
opts.body = opts.body.replace(/{{\s+PORT\s+}}/i, opts.port); opts.body = opts.body.replace(/{{\s+PORT\s+}}/ig, opts.port);
return function (req, res, next) { return function (req, res, next) {
if (req.connection.encrypted if (req.connection.encrypted
@ -24,7 +24,7 @@ module.exports = function (opts) {
return; return;
} }
var url = req.url; var url = (req.originalUrl || req.url);
var host = req.headers.host || ''; var host = req.headers.host || '';
if (!/:\d+/.test(host) && 443 !== opts.port) { if (!/:\d+/.test(host) && 443 !== opts.port) {
// we are using standard port 80, but we aren't using standard port 443 // we are using standard port 80, but we aren't using standard port 443
@ -35,14 +35,14 @@ module.exports = function (opts) {
; ;
//var encodedLocation = encodeURI(newLocation); //var encodedLocation = encodeURI(newLocation);
var escapedLocation = escapeHtml(newLocation); var escapedLocation = escapeHtml(newLocation);
var encodedLocation; var decodedLocation;
try { try {
encodedLocation = decodeURIComponent(newLocation); decodedLocation = decodeURIComponent(newLocation);
} catch(e) { } catch(e) {
encodedLocation = newLocation; // "#/error/?error_message=" + e.toString(); decodedLocation = newLocation; // "#/error/?error_message=" + e.toString();
} }
var body = opts.body var body = opts.body
.replace(/{{\s*HTML_URL\s*}}/ig, escapeHtml(encodedLocation)) .replace(/{{\s*HTML_URL\s*}}/ig, escapeHtml(decodedLocation))
.replace(/{{\s*URL\s*}}/ig, escapedLocation) .replace(/{{\s*URL\s*}}/ig, escapedLocation)
.replace(/{{\s*UNSAFE_URL\s*}}/ig, newLocation) .replace(/{{\s*UNSAFE_URL\s*}}/ig, newLocation)
; ;