- fixed edge-cases in .protocol(), .port(), .subdomain(), .domain(), .tld(), .filename()

- fixed parsing of hostname in .hostname()

Author: rodneyrehm

README.md

@@ -165,6 +165,11 @@ URI.js is published under the [MIT license](http://www.opensource.org/licenses/m
 
 ## Changelog ##
 
+* Updated Punycode.js to version 0.3.0
+* added edge-case tests ("jim")
+* fixed edge-cases in .protocol(), .port(), .subdomain(), .domain(), .tld(), .filename()
+* fixed parsing of hostname in .hostname() 
+
 ### 1.3.0 ###
 
 * added .subdomain() convenience accessor

docs.html

@@ -178,6 +178,7 @@ <h3 id="accessors-protocol">protocol()</h3>
 uri.protocol(); // returns string "http"
 // set protocol
 uri.protocol("ftp"); // returns the URI instance for chaining</pre>
+    <p>NOTE: Throws a <code>TypeError</code> on illegal input</p>
 
     <h3 id="accessors-username">username()</h3>
     <pre class="prettyprint lang-js">var uri = new URI("http://user:pass@example.org/foo/hello.html");
@@ -208,6 +209,7 @@ <h3 id="accessors-port">port()</h3>
 // set port
 uri.port("80"); // returns the URI instance for chaining</pre>
     <p>NOTE: although the port may be considered an integer, within URI it is a string.</p>
+    <p>NOTE: Throws a <code>TypeError</code> on illegal input</p>
 
     <h3 id="accessors-host">host()</h3>
     <pre class="prettyprint lang-js">var uri = new URI("http://example.org:80/foo/hello.html");
@@ -234,6 +236,7 @@ <h3 id="accessors-domain">domain()</h3>
 // set domain
 uri.domain("otherdomain.com"); // returns the URI instance for chaining</pre>
     <p>NOTE: .domain() will throw an error if you pass it an empty string.</p>
+    <p>NOTE: Throws a <code>TypeError</code> on illegal input</p>
 
     <h3 id="accessors-subdomain">subdomain()</h3>
     <p>.subdomain() is a convenience method that returns <code>www</code> from the hostname <code>www.example.org</code>.</p>
@@ -242,6 +245,7 @@ <h3 id="accessors-subdomain">subdomain()</h3>
 uri.subdomain(); // returns string "www"
 // set subdomain
 uri.subdomain("other.subdomain"); // returns the URI instance for chaining</pre>
+    <p>NOTE: Throws a <code>TypeError</code> on illegal input</p>
 
     <h3 id="accessors-tld">tld()</h3>
     <p>.tld() is a convenience method that returns <code>org</code> from the hostname <code>www.example.org</code>.</p>
@@ -250,7 +254,7 @@ <h3 id="accessors-tld">tld()</h3>
 uri.tld(); // returns string "org"
 // set tld
 uri.tld("com"); // returns the URI instance for chaining</pre>
-    <p>NOTE: .tld() will throw an error if you pass it an empty string or use it on an IP-host.</p>
+    <p>NOTE: Throws an <code>Error</code> if you pass it an empty string or use it on an IP-host.</p>
 
     <h3 id="accessors-pathname">pathname(), path()</h3>
     <p>.path() is an alias of .pathname()</p>
@@ -295,6 +299,7 @@ <h3 id="accessors-filename">filename()</h3>
 uri.filename() === 'hello%20world.html';
 // will decode for you
 uri.filename(true) === 'hello world.html';</pre>
+    <p>NOTE: If you pass <code>../file.html</code>, the directory will be changed accordingly</p>
 
     <h3 id="accessors-suffix">suffix()</h3>
     <p>.suffix() is an convenience method for mutating the filename part of a path</p>

src/URI.js

@@ -86,7 +86,10 @@ URI.defaultPorts = {
     https: "443", 
     ftp: "21"
 };
-
+// allowed hostname characters according to RFC 3986
+// ALPHA DIGIT "-" "." "_" "~" "!" "$" "&" "'" "(" ")" "*" "+" "," ";" "=" %encoded
+// I've never seen a (non-IDN) hostname other than: ALPHA DIGIT . -
+URI.invalid_hostname_characters = /[^a-zA-Z0-9\.-]/;
 // encoding / decoding according to RFC3986
 URI.encode = encodeURIComponent;
 URI.decode = decodeURIComponent;
@@ -206,6 +209,7 @@ URI.parseHost = function(string, parts) {
         parts.port = string.substring(bracketPos+2, pos) || null;
     } else if (string.indexOf(':') !== string.lastIndexOf(':')) {
         // IPv6 host contains multiple colons - but no port
+        // this notation is actually not allowed by RFC 3986, but we're a liberal parser
         parts.hostname = string.substring(0, pos) || null;
         parts.port = null;
     } else {
@@ -457,6 +461,22 @@ URI.withinString = function(string, callback) {
     return string.replace(URI.find_uri_expression, callback);
 };
 
+URI.ensureValidHostname = function(v) {
+    // Theoretically URIs allow percent-encoding in Hostnames (according to RFC 3986)
+    // they are not part of DNS and therefore ignored by URI.js
+    
+    if (v.match(URI.invalid_hostname_characters)) {
+        // test punycode
+        if (!window.punycode) {
+            throw new TypeError("Hostname '" + v + "' contains characters other than [A-Z0-9.-] and Punycode.js is not available");
+        }
+        
+        if (punycode.toASCII(v).match(URI.invalid_hostname_characters)) {
+            throw new TypeError("Hostname '" + v + "' contains characters other than [A-Z0-9.-]");
+        }
+    }
+};
+
 p.build = function(deferBuild) {
     if (deferBuild === true) {
         this._deferred_build = true;
@@ -627,6 +647,52 @@ p.is = function(what) {
     return null;
 };
 
+// component specific input validation
+var _protocol = p.protocol,
+    _port = p.port,
+    _hostname = p.hostname;
+
+p.protocol = function(v, build) {
+    if (v !== undefined) {
+        // accept trailing :
+        if (v) {
+            if (v[v.length - 1] === ":") {
+                v = v.substring(0, v.length - 1);
+            } else if (v.match(/[^a-zA-z0-9\.+-]/)) {
+                throw new TypeError("Protocol '" + v + "' contains characters other than [A-Z0-9.+-]");
+            }
+        }
+    }
+    return _protocol.call(this, v, build);
+};
+p.port = function(v, build) {
+    if (v !== undefined) {
+        if (v === 0) {
+            v = null;
+        }
+        
+        if (v) {
+            v += "";
+            if (v[0] === ":") {
+                v = v.substring(1);
+            }
+            
+            if (v.match(/[^0-9]/)) {
+                throw new TypeError("Port '" + v + "' contains characters other than [0-9]");
+            }
+        }
+    }
+    return _port.call(this, v, build);
+};
+p.hostname = function(v, build) {
+    if (v !== undefined) {
+        var x = {};
+        URI.parseHost(v, x);
+        v = x.hostname;
+    }
+    return _hostname.call(this, v, build);
+};
+
 // combination accessors
 p.host = function(v, build) {
     if (v === undefined) {
@@ -666,6 +732,10 @@ p.subdomain = function(v, build) {
             v += ".";
         }
 
+        if (v) {
+            URI.ensureValidHostname(v);
+        }
+        
         this._parts.hostname = this._parts.hostname.replace(replace, v);
         this.build(!build);
         return this;
@@ -683,7 +753,11 @@ p.domain = function(v, build) {
     } else {
         if (!v) {
             throw new TypeError("cannot set domain empty");
-        } else if (!this._parts.hostname || this.is('IP')) {
+        }
+        
+        URI.ensureValidHostname(v);
+        
+        if (!this._parts.hostname || this.is('IP')) {
             this._parts.hostname = v;
         } else {
             var replace = new RegExp(escapeRegEx(this.domain()) + "$");
@@ -706,6 +780,8 @@ p.tld = function(v, build) {
     } else {
         if (!v) {
             throw new TypeError("cannot set TLD empty");
+        } else if (v.match(/[^a-zA-Z0-9-]/)) {
+            throw new TypeError("TLD '" + v + "' contains characters other than [A-Z0-9]");
         } else if (!this._parts.hostname || this.is('IP')) {
             throw new ReferenceError("cannot set TLD on non-domain host");
         } else {
@@ -766,15 +842,25 @@ p.filename = function(v, build) {
 
         return v ? URI.decodePathSegment(res) : res;
     } else {
-
+        var mutatedDirectory = false;
         if (v[0] === '/') {
             v = v.substring(1);
         }
 
+        if (v.match(/\.?\//)) {
+            mutatedDirectory = true;
+        }
+        
         var replace = new RegExp(escapeRegEx(this.filename()) + "$");
         v = URI.recodePath(v);
         this._parts.path = this._parts.path.replace(replace, v);
-        this.build(!build);
+        
+        if (mutatedDirectory) {
+            this.normalizePath(build);
+        } else {
+            this.build(!build);
+        }
+        
         return this;
     }
 };

test/test_jim.js

@@ -1,61 +1,112 @@
 /*
-   What would jim do?
+ * What would jim do?
+ * more tests for border-edge cases
+ * Christian Harms.
+ *
+ * Note: I have no clue who or what jim is supposed to be. It might be something like the German DAU (dumbest possible user)
+ */
 
-   more tests for border-edge cases
-
-   Christian Harms.
-
-*/
-
-// try to set one part - modify the next part
 module("injection");
 test("protocol", function() {
     var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
-    u.protocol("ftp://example.org");
+    raises(function() {
+        u.protocol("ftp://example.org");
+    }, TypeError, "Failing invalid characters");
+
+    u.protocol("ftp:");
     equal(u.protocol(), "ftp", "protocol() has set invalid protocoll!");
     equal(u.hostname(), "example.com", "protocol() has changed the hostname");
-    });
-
+});
 test("port", function() {
     var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
-    u.port("99:example.org");
+    raises(function() {
+        u.port("99:example.org");
+    }, TypeError, "Failing invalid characters");
+
+    u.port(":99");
     equal(u.hostname(), "example.com", "port() has modified hostname");
     equal(u.port(), 99, "port() has set an invalid port");
-    });
-test("domain", function() {
-    var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
-    u.domain("example.org/dir0/");
-    equal(u.hostname(), "example.com", "domain() has set invalid domain");
-    equal(u.path(), "/dir1/dir2/", "domain() has inflicted path with part of domainname");
 
-    });
+    u.port(false);
+    equal(u.port(), "", "port() has set an invalid port");
+  
+    // RFC 3986 says nothing about "16-bit unsigned" http://tools.ietf.org/html/rfc3986#section-3.2.3
+    // u.href(new URI("http://example.com/"))
+    // u.port(65536);
+    // notEqual(u.port(), "65536", "port() has set to an non-valid value (A port number is a 16-bit unsigned integer)");
 
+    raises(function() {
+        u.port("-99");
+    }, TypeError, "Failing invalid characters");
+});
+test("domain", function() {
+    var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
+    
+    raises(function() {
+        u.domain("example.org/dir0/");
+    }, TypeError, "Failing invalid characters");
+    
+    raises(function() {
+        u.domain("example.org:80");
+    }, TypeError, "Failing invalid characters");
+    
+    raises(function() {
+        u.domain("foo@example.org");
+    }, TypeError, "Failing invalid characters");
+});
+test("subdomain", function() {
+    var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
+    
+    raises(function() {
+        u.subdomain("example.org/dir0/");
+    }, TypeError, "Failing invalid characters");
+    
+    raises(function() {
+        u.subdomain("example.org:80");
+    }, TypeError, "Failing invalid characters");
+    
+    raises(function() {
+        u.subdomain("foo@example.org");
+    }, TypeError, "Failing invalid characters");
+});
+test("tld", function() {
+    var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
+    
+    raises(function() {
+        u.tld("foo/bar.html");
+    }, TypeError, "Failing invalid characters");
+});
 test("path", function() {
     var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
-    u.path("/dir3/?query3=value3");
+    u.path("/dir3/?query3=value3#fragment");
     equal(u.hostname(), "example.com", "path() has modified hostname");
-    equal(u.path(), "/dir3/%3Fquery3=value3", "path() has set invalid path");
+    equal(u.path(), "/dir3/%3Fquery3=value3%23fragment", "path() has set invalid path");
     equal(u.query(), "query1=value1&query2=value2", "path() has modified query");
-    });
-
+    equal(u.fragment(), "hash", "path() has modified fragment");
+});
 test("filename", function() {
     var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
-    u.filename("../name.html?query");
-    equal(u.hostname(), "example.com", "filename() has modified hostname");
-    equal(u.path(), "/dir1/dir2/", "filename() has modified path");
-    equal(u.filename(), "name.html%3Fquery", "filename() has set invalid filename")
+
+    u.filename("name.html?query");
+    equal(u.filename(), "name.html%3Fquery", "filename() has set invalid filename");
     equal(u.query(), "query1=value1&query2=value2", "filename() has modified query");
-    });
-        
+
+    // allowed!
+    u.filename("../name.html?query");
+    equal(u.filename(), "name.html%3Fquery", "filename() has set invalid filename");
+    equal(u.directory(), "/dir1", "filename() has not altered directory properly");
+});
 test("addQuery", function() {
     var u = new URI("http://example.com/dir1/dir2/?query1=value1&query2=value2#hash");
     u.addQuery("query3", "value3#got");
     equal(u.query(), "query1=value1&query2=value2&query3=value3%23got", "addQuery() has set invalid query");
     equal(u.fragment(), "hash", "addQuery() has modified fragment");
-    });
+});
 
-    
-// try to set not-valid values - check the rfc-allowed parts
+ 
+/*
+// RFC 3986 says "…and should limit these names to no more than 255 characters in length."
+// SHOULD is not MUST therefore not the responsibility of URI.js
 
 module("validation");
 test("domain", function() {
@@ -88,12 +139,5 @@ test("domain", function() {
     }
     u.domain(domain);
     equals(u.hostname() == domain, true, "set domain() with 70-character subdomain  not valid domainname");
-    });
-
-test("port", function() {
-    var u = new URI("http://example.com/");
-    u.port(65536);
-    equal(u.port() === 65536, false, "port() has set to an non-valid value (A port number is a 16-bit unsigned integer)");
-    u.port(-1);
-    equal(u.port() === -1, false, "port() has set to an non-valid value (A port number is a 16-bit unsigned integer)");
-    });
+});
+*/