@@ -1146,14 +1146,13 @@ system might be used to do bad things to your machine.
11461146(((replace method)))(((file server example)))(((leak)))(((period
11471147character)))(((slash character)))(((backslash
11481148character)))(((decodeURIComponent function)))It is enough to strip out
1149- all occurrences of two dots that have a slash, a backslash, or
1150- the end of the string on both sides. Using the `replace` method with a
1151- ((regular expression)) is the easiest way to do this. Do not forget
1152- the `g` flag on the expression, or `replace` will replace only a
1153- single instance, and people could still get around this safety measure
1154- by including additional double dots in their paths! Also make sure you
1155- do the replace _after_ decoding the string, or it would be possible to
1156- foil the check by encoding a dot or a slash.
1149+ all occurrences of two dots that have a slash, a backslash, or the end
1150+ of the string on both sides. Using the `replace` method with a
1151+ ((regular expression)) is the easiest way to do this. But since such
1152+ instances may overlap (as in `"/../../f"`), you may have to apply
1153+ `replace` multiple times, until the string no longer changes. Also
1154+ make sure you do the replace _after_ decoding the string, or it would
1155+ be possible to foil the check by encoding a dot or a slash.
11571156
11581157(((path,file system)))(((slash character)))Another potentially
11591158worrying case is when paths start with a slash, which are interpreted as
0 commit comments