Avoid unescaping %uXXXX in iso-8859-1 mode

papandreou · papandreou · commit bd9bc06d2bff · 2018-07-26T00:05:42.000+02:00
ljharb#268 (comment)
diff --git a/lib/utils.js b/lib/utils.js
@@ -110,7 +110,8 @@ var assign = function assignSingleSource(target, source) {
 var decode = function (str, decoder, charset) {
     var strWithoutPlus = str.replace(/\+/g, ' ');
     if (charset === 'iso-8859-1') {
-        return unescape(strWithoutPlus); // Cannot throw
+        // unescape never throws, no try...catch needed:
+        return strWithoutPlus.replace(/%[0-9a-f]{2}/gi, unescape);
     }
     // utf-8
     try {
diff --git a/test/parse.js b/test/parse.js
@@ -627,5 +627,10 @@ test('parse()', function (t) {
         st.end();
     });
 
+    t.test('does not interpret %uXXXX syntax in iso-8859-1 mode', function (st) {
+        st.deepEqual(qs.parse('%u263A=%u263A', { charset: 'iso-8859-1' }), { '%u263A': '%u263A' });
+        st.end();
+    });
+
     t.end();
 });
