Merge branch 'alpha' into fix/pages-locale-path-traversal

Signed-off-by: Manuel <[email protected]>

Author: mtrezza

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,17 @@
+# [9.6.0-alpha.38](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.37...9.6.0-alpha.38) (2026-03-18)
+
+
+### Bug Fixes
+
+* Sanitize control characters in page parameter response headers ([#10237](https://github.com/parse-community/parse-server/issues/10237)) ([337ffd6](https://github.com/parse-community/parse-server/commit/337ffd65ccf94495a54cd883c5e8fa7a3892606c))
+
+# [9.6.0-alpha.37](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.36...9.6.0-alpha.37) (2026-03-18)
+
+
+### Bug Fixes
+
+* Security fix fast-xml-parser from 5.5.5 to 5.5.6 ([#10235](https://github.com/parse-community/parse-server/issues/10235)) ([f521576](https://github.com/parse-community/parse-server/commit/f521576143336334aad2cbac82c3f368afe8f706))
+
 # [9.6.0-alpha.36](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.35...9.6.0-alpha.36) (2026-03-18)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "9.6.0-alpha.36",
+  "version": "9.6.0-alpha.38",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

package.json

@@ -1096,6 +1096,32 @@ describe('Pages Router', () => {
           await fs.rm(targetDir, { recursive: true, force: true });
         }
       });
+
+      it('does not return 500 when page parameter contains CRLF characters', async () => {
+        await reconfigureServer(config);
+        const crlf = 'abc\r\nX-Injected: 1';
+        const url = `${config.publicServerURL}/apps/choose_password?appId=test&token=${encodeURIComponent(crlf)}&username=testuser`;
+        const response = await request({
+          url: url,
+          followRedirects: false,
+        }).catch(e => e);
+        expect(response.status).not.toBe(500);
+        expect(response.status).toBe(200);
+      });
+
+      it('does not return 500 when page parameter contains CRLF characters in redirect response', async () => {
+        await reconfigureServer(config);
+        const crlf = 'abc\r\nX-Injected: 1';
+        const url = `${config.publicServerURL}/apps/test/resend_verification_email`;
+        const response = await request({
+          method: 'POST',
+          url: url,
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+          body: `username=${encodeURIComponent(crlf)}`,
+          followRedirects: false,
+        }).catch(e => e);
+        expect(response.status).not.toBe(500);
+      });
     });
 
     describe('custom route', () => {

spec/PagesRouter.spec.js

@@ -455,13 +455,7 @@ export class PagesRouter extends PromiseRouter {
 
     // Add placeholders in header to allow parsing for programmatic use
     // of response, instead of having to parse the HTML content.
-    const encode = this.pagesConfig.encodePageParamHeaders;
-    const headers = Object.entries(params).reduce((m, p) => {
-      if (p[1] !== undefined) {
-        m[`${pageParamHeaderPrefix}${p[0].toLowerCase()}`] = encode ? encodeURIComponent(p[1]) : p[1];
-      }
-      return m;
-    }, {});
+    const headers = this.composePageParamHeaders(params);
 
     return { text: data, headers: headers };
   }
@@ -561,6 +555,29 @@ export class PagesRouter extends PromiseRouter {
     return locale;
   }
 
+  /**
+   * Composes page parameter headers from the given parameters. Control
+   * characters are always stripped from header values to prevent
+   * ERR_INVALID_CHAR errors. Values are URI-encoded if the
+   * `encodePageParamHeaders` option is enabled.
+   * @param {Object} params The parameters to include in the headers.
+   * @returns {Object} The headers object.
+   */
+  composePageParamHeaders(params) {
+    const encode = this.pagesConfig.encodePageParamHeaders;
+    return Object.entries(params).reduce((m, p) => {
+      if (p[1] !== undefined) {
+        let value = encode ? encodeURIComponent(p[1]) : p[1];
+        if (typeof value === 'string') {
+          // eslint-disable-next-line no-control-regex
+          value = value.replace(/[\x00-\x1f\x7f]/g, '');
+        }
+        m[`${pageParamHeaderPrefix}${p[0].toLowerCase()}`] = value;
+      }
+      return m;
+    }, {});
+  }
+
   /**
    * Creates a response with http redirect.
    * @param {Object} req The express request.
@@ -584,13 +601,7 @@ export class PagesRouter extends PromiseRouter {
 
     // Add parameters to header to allow parsing for programmatic use
     // of response, instead of having to parse the HTML content.
-    const encode = this.pagesConfig.encodePageParamHeaders;
-    const headers = Object.entries(params).reduce((m, p) => {
-      if (p[1] !== undefined) {
-        m[`${pageParamHeaderPrefix}${p[0].toLowerCase()}`] = encode ? encodeURIComponent(p[1]) : p[1];
-      }
-      return m;
-    }, {});
+    const headers = this.composePageParamHeaders(params);
 
     return {
       status: 303,