Merge pull request #179 from danielberndt/patch-1

Don't decode url before encoding it again

Author: jgm

lib/common.js

@@ -1,7 +1,6 @@
 "use strict";
 
 var encode = require('mdurl/encode');
-var decode = require('mdurl/decode');
 
 var C_BACKSLASH = 92;
 
@@ -56,7 +55,7 @@ var unescapeString = function(s) {
 
 var normalizeURI = function(uri) {
     try {
-        return encode(decode(uri));
+        return encode(uri);
     }
     catch(err) {
         return uri;

test/regression.txt

@@ -122,7 +122,15 @@ Double-encoding.
 ```````````````````````````````` example
 [XSS](javascript:alert%28'XSS'%29)
 .
-<p><a href="javascript&amp;colon;alert('XSS')">XSS</a></p>
+<p><a href="javascript&amp;colon;alert%28'XSS'%29">XSS</a></p>
+````````````````````````````````
+
+PR #179
+
+```````````````````````````````` example
+[link](https://www.example.com/home/%25batty)
+.
+<p><a href="https://www.example.com/home/%25batty">link</a></p>
 ````````````````````````````````
 
 Issue commonamrk#517 - script, pre, style close tag without