fix(unescape): fixed bug where intermediate string contains escaped characters (validatorjs#1835)

* Fixed bug where intermediate string contains escaped characters

* Added reference to issue

Co-authored-by: Markus Tyrkkö <[email protected]>
Co-authored-by: Markus <[email protected]>

Author: 2 people

src/lib/unescape.js

@@ -2,12 +2,15 @@ import assertString from './util/assertString';
 
 export default function unescape(str) {
   assertString(str);
-  return (str.replace(/&/g, '&')
-    .replace(/"/g, '"')
+  return (str.replace(/"/g, '"')
     .replace(/'/g, "'")
     .replace(/&lt;/g, '<')
     .replace(/&gt;/g, '>')
     .replace(/&#x2F;/g, '/')
     .replace(/&#x5C;/g, '\\')
-    .replace(/&#96;/g, '`'));
+    .replace(/&#96;/g, '`')
+    .replace(/&amp;/g, '&'));
+  // &amp; replacement has to be the last one to prevent
+  // bugs with intermediate strings containing escape sequences
+  // See: https://github.com/validatorjs/validator.js/issues/1827
 }

test/sanitizers.js

@@ -184,6 +184,9 @@ describe('Sanitizers', () => {
 
         'Backtick: `':
             'Backtick: `',
+
+        'Escaped string: <':
+            'Escaped string: <',
       },
     });
   });