fix: encode quotation mark in URLs (#1155)

fixes #1154 --------- Signed-off-by: Jan Kowalleck <[email protected]>
CycloneDX · Oct 24, 2024 · d559aa3 · d559aa3
1 parent bdbe727
commit d559aa3
Show file tree

Hide file tree

Showing 23 changed files with 177 additions and 5 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -6,6 +6,8 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+* Fixed
+  * Encode quotation marks in URLs ([#1154] via [#1155])
 * Build
   * Use _TypeScript_ `v5.6.2` now, was `v5.5.3` (via [#1130]. [#1144])
   * Use _webpack_ `v5.95.0` now, was `v5.93.0` (via [#1138], [#1147])
@@ -14,6 +16,8 @@ All notable changes to this project will be documented in this file.
 [#1138]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1138
 [#1144]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1144
 [#1147]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1147
+[#1154]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1154
+[#1155]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1155
 
 ## 6.11.0 -- 2024-07-15
 

diff --git a/src/_helpers/uri.ts b/src/_helpers/uri.ts
@@ -19,12 +19,14 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 
 const _ESCAPES: Array<[RegExp, string]> = [
   [/ /g, '%20'],
+  [/"/g, '%22'],
+  [/'/g, '%27'],
   [/\[/g, '%5B'],
   [/]/g, '%5D'],
   [/</g, '%3C'],
   [/>/g, '%3E'],
   [/\{/g, '%7B'],
-  [/}/g, '%7D']
+  [/}/g, '%7D'],
 ]
 
 /**
@@ -34,10 +36,10 @@ const _ESCAPES: Array<[RegExp, string]> = [
  *
  * BEST EFFORT IMPLEMENTATION
  *
- * @see http://www.w3.org/TR/xmlschema-2/#anyURI
- * @see http://www.datypic.com/sc/xsd/t-xsd_anyURI.html
- * @see https://datatracker.ietf.org/doc/html/rfc2396
- * @see https://datatracker.ietf.org/doc/html/rfc3987
+ * @see {@link http://www.w3.org/TR/xmlschema-2/#anyURI}
+ * @see {@link http://www.datypic.com/sc/xsd/t-xsd_anyURI.html}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc2396}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc3987}
  */
 export function escapeUri<T extends (string | undefined)> (value: T): T {
   if (value === undefined) {

diff --git a/tests/_data/models.js b/tests/_data/models.js
@@ -284,6 +284,7 @@ module.exports.createComplexStructure = function () {
             ['encode anyUri: mailto', 'mailto:[email protected]'],
             ['encode anyUri: relative path', '../foo/bar'],
             ['encode anyUri: space', 'https://example.org/foo bar bazz%20again+again'],
+            ['encode anyUri: quotation', `https://example.org/this"test"isa'test'`],
             ['encode anyUri: []', 'https://example.org/?bar[test]=baz[again]'],
             ['encode anyUri: <>', 'https://example.org/#<test><again>'],
             ['encode anyUri: {}', 'https://example.org/#{test}{again}'],

diff --git a/tests/_data/normalizeResults/json_sortedLists_spec1.2.json b/tests/_data/normalizeResults/json_sortedLists_spec1.2.json
diff --git a/tests/_data/normalizeResults/json_sortedLists_spec1.3.json b/tests/_data/normalizeResults/json_sortedLists_spec1.3.json
diff --git a/tests/_data/normalizeResults/json_sortedLists_spec1.4.json b/tests/_data/normalizeResults/json_sortedLists_spec1.4.json
diff --git a/tests/_data/normalizeResults/json_sortedLists_spec1.5.json b/tests/_data/normalizeResults/json_sortedLists_spec1.5.json
diff --git a/tests/_data/normalizeResults/json_sortedLists_spec1.6.json b/tests/_data/normalizeResults/json_sortedLists_spec1.6.json
diff --git a/tests/_data/normalizeResults/xml_sortedLists_spec1.2.json b/tests/_data/normalizeResults/xml_sortedLists_spec1.2.json
diff --git a/tests/_data/normalizeResults/xml_sortedLists_spec1.3.json b/tests/_data/normalizeResults/xml_sortedLists_spec1.3.json
diff --git a/tests/_data/normalizeResults/xml_sortedLists_spec1.4.json b/tests/_data/normalizeResults/xml_sortedLists_spec1.4.json
diff --git a/tests/_data/normalizeResults/xml_sortedLists_spec1.5.json b/tests/_data/normalizeResults/xml_sortedLists_spec1.5.json
diff --git a/tests/_data/normalizeResults/xml_sortedLists_spec1.6.json b/tests/_data/normalizeResults/xml_sortedLists_spec1.6.json
diff --git a/tests/_data/serializeResults/json_complex_spec1.2.json.bin b/tests/_data/serializeResults/json_complex_spec1.2.json.bin
diff --git a/tests/_data/serializeResults/json_complex_spec1.3.json.bin b/tests/_data/serializeResults/json_complex_spec1.3.json.bin
diff --git a/tests/_data/serializeResults/json_complex_spec1.4.json.bin b/tests/_data/serializeResults/json_complex_spec1.4.json.bin
diff --git a/tests/_data/serializeResults/json_complex_spec1.5.json.bin b/tests/_data/serializeResults/json_complex_spec1.5.json.bin
diff --git a/tests/_data/serializeResults/json_complex_spec1.6.json.bin b/tests/_data/serializeResults/json_complex_spec1.6.json.bin
diff --git a/tests/_data/serializeResults/xml_complex_spec1.2.xml.bin b/tests/_data/serializeResults/xml_complex_spec1.2.xml.bin
diff --git a/tests/_data/serializeResults/xml_complex_spec1.3.xml.bin b/tests/_data/serializeResults/xml_complex_spec1.3.xml.bin
diff --git a/tests/_data/serializeResults/xml_complex_spec1.4.xml.bin b/tests/_data/serializeResults/xml_complex_spec1.4.xml.bin
diff --git a/tests/_data/serializeResults/xml_complex_spec1.5.xml.bin b/tests/_data/serializeResults/xml_complex_spec1.5.xml.bin
diff --git a/tests/_data/serializeResults/xml_complex_spec1.6.xml.bin b/tests/_data/serializeResults/xml_complex_spec1.6.xml.bin