Escaping issues with URL components & regex syntax #13
Description
Thanks for publishing this!
There seems to be an escaping issue if you enter a URL Pattern regular expression that also resembles a query string.
For example, try to create a new URL pattern https://example.com/a/.+/b/ (a regex to match any URL with /a/something/b/).
At this point in dragPanel.js:
function _uploadFile(files) {
const urlParams = new URLSearchParams(window.location.search);
const sitePattern = urlParams.get("sitePattern");
The variables have these values:
window.location.search == "?sitePattern=https://example.com/a/.+/b/&mode=add"
sitePattern == "https://example.com/a/. /b/"
The issue is that sitePattern is put into the URL without escaping the value in popup.js:
dragPanelUrl = dragPanelUrl + "?sitePattern=" + sitePattern.value + '&' + 'mode=add';
A similar issue occurs if you try to enter a URL pattern that includes a query string itself.
One possible fix would to be use URLSearchParams() in popup.js to build the URL, instead of string concatenation. Then it will unescape correctly later on.
I don't have time make a patch, but I thought I'd report this anyhow.
As a temporary workaround, you can QueryString escape the URL pattern yourself before entering it. The correct pattern (without the escapes) will be inserted into the database and shown in the UI.